DWR

Make http session cookie embedded in script include a hash of the path of the page

Details

  • Type: Improvement Improvement
  • Status: Open Open
  • Priority: Trivial Trivial
  • Resolution: Unresolved
  • Affects Version/s: None
  • Fix Version/s: 4.0
  • Component/s: Core, Engine, Security
  • Description:
    CSRF protection:
    Include the path of the page in the security credentials for a page.
    The advantage being that you can't use leakage in one part of your app as an oracle for a separate action

Issue Links

Dependency
 

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Joe Walker added a comment - 31/Mar/07 9:07 AM

We would be better off not using the JSESSIONID value as the in-page nonce.

HTTPOnly cookies exist to prevent XSS attacks getting at the cookie value, and using JSESSIONID as the in-page nonce effectively breaks this protection. We should have 2 separate nonces one for in page protection and one for in-header protection (JSESSIONID)

Show
Joe Walker added a comment - 31/Mar/07 9:07 AM We would be better off not using the JSESSIONID value as the in-page nonce. HTTPOnly cookies exist to prevent XSS attacks getting at the cookie value, and using JSESSIONID as the in-page nonce effectively breaks this protection. We should have 2 separate nonces one for in page protection and one for in-header protection (JSESSIONID)
Hide
Permalink
David Marginian added a comment - 23/Jul/10 4:57 AM

Related to, need to update the link options!

Show
David Marginian added a comment - 23/Jul/10 4:57 AM Related to, need to update the link options!

People

Dates

  • Created:
    29/Mar/07 9:39 AM
    Updated:
    23/Jul/10 4:57 AM
Atlassian JIRA (v4.1.2#531) | Report a problem | Request a feature | Contact administrators
Powered by a free Atlassian JIRA open source license for DWR. Try JIRA - bug tracking software for your team.