Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

deprecate HttpSessionSecurityCookieFilter #484

Closed
bradcupit opened this issue May 9, 2014 · 0 comments · Fixed by #486
Closed

deprecate HttpSessionSecurityCookieFilter #484

bradcupit opened this issue May 9, 2014 · 0 comments · Fixed by #486

Comments

@bradcupit
Copy link
Contributor

See original discussion on the GWTP mailing list.

First a side note:
An XSS attack can run JavaScript and read cookies like the JSESSIONID. That means an attacker could hijack the user's session, so to prevent this it's good to mark the JSESSIONID as 'HttpOnly'.

GWTP has built-in protection against a different kind of attack, CSRF, via HttpSessionSecurityCookieFilter. In a CSRF attack the attacker can't see the client cookies. Unfortunately HttpSessionSecurityCookieFilter does it's magic by duplicating the JSESSIONID. So even if we mark the real JSESSIONID as HttpOnly to prevent session hijacking (see side note above), an XSS attacker can still see our JSESSIONID in the GWTP cookie, and still hijack our session. Unfortunately, we can't fix HttpSessionSecurityCookieFilter's cookie with 'HttpOnly' since GWTP client code needs to read it.

Instead we should use GWTP's RandomSecurityCookieFilter, which uses a random number rather than the JSESSIONID.

This ticket is to deprecate HttpSessionSecurityCookieFilter and document why.

Note: it's not a problem unless the app is already vulnerable to XSS, but using HttpSessionSecurityCookieFilter negates using the 'HttpOnly' preventative measure.
bradcupit added a commit to bradcupit/GWTP that referenced this issue May 9, 2014
@bradcupit
deprecate HttpSessionSecurityCookieFilter
162ef28 
See GitHub issue ArcBees#484

HttpSessionSecurityCookieFilter duplicates the JSESSIONID in another cookie, one that can't be marked 'Htt
pOnly'. That means in an XSS attack the attacker could read the JSESSIONID and hijack the session.

Instead we should use RandomSecurityCookieFilter which doesn't have this issue (since it doesn't duplicate the JSESSIONID).
bradcupit added a commit to bradcupit/GWTP that referenced this issue May 9, 2014
@bradcupit
deprecate HttpSessionSecurityCookieFilter
6e67b42 
This fixes ArcBees#484

HttpSessionSecurityCookieFilter duplicates the JSESSIONID in another cookie, one that can't be marked 'Htt
pOnly'. That means in an XSS attack the attacker could read the JSESSIONID and hijack the session.

Instead we should use RandomSecurityCookieFilter which doesn't have this issue (since it doesn't duplicate the JSESSIONID).
@bradcupit bradcupit mentioned this issue May 9, 2014
Merged
@bmorris591 bmorris591 mentioned this issue Oct 1, 2014
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

deprecate HttpSessionSecurityCookieFilter bradcupit/GWTP
1 participant
@bradcupit