ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jacques Le Roux (Jira)" <j...@apache.org>
Subject [jira] [Closed] (OFBIZ-11470) Ensure that the SameSite attribute is set to 'strict' for all cookies.
Date Fri, 20 Mar 2020 17:01:00 GMT

     [ https://issues.apache.org/jira/browse/OFBIZ-11470?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Jacques Le Roux closed OFBIZ-11470.
-----------------------------------
    Fix Version/s: 17.12.02
                   18.12.01
       Resolution: Fixed

Here more information about the SameSite attribute from [OWASP Cross-Site Request Forgery
(CSRF) Prevention Cheat Sheet:|https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#samesite-cookie-attribute]

bq. All desktop browsers and almost all mobile browsers now support the SameSite attribute.
To keep track of the browsers implementing it and the usage of the attribute, refer to the
following service. Note that Chrome has announced that they will mark cookies as SameSite=Lax
by default from Chrome 80 (due in February 2020), and Firefox and Edge are both planning to
follow suit. Additionally, the Secure flag will be required for cookies that are marked as
SameSite=None.


bq. It is important to note that this attribute should be implemented as an additional layer
defense in depth concept. This attribute protects the user through the browsers supporting
it, and it contains as well 2 ways to bypass it as mentioned in the following section. This
attribute should not replace having a CSRF Token. Instead, it should co-exist with that token
in order to protect the user in a more robust way.

> Ensure that the SameSite attribute is set to 'strict' for all cookies.
> ----------------------------------------------------------------------
>
>                 Key: OFBIZ-11470
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-11470
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: ALL APPLICATIONS
>    Affects Versions: Trunk
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Major
>             Fix For: 18.12.01, 17.12.02
>
>
> As reported by OWASP ZAP:
> bq. A cookie has been set without the SameSite attribute, which means that the cookie
can be sent as a result of a 'cross-site' request. The SameSite attribute is an effective
counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks.
> The solution was not obvious in OFBiz for 2 reasons:
> # There is no HttpServletResponse::setHeader. So we need to use a filter (SameSiteFilter)
and even that is not enough because of 2:
> # To prevent session fixation we force Tomcat to generates a new jsessionId, ultimately
put in cookie, in LoginWorker::login. So we need to add a call to SameSiteFilter::addSameSiteCookieAttribute
in UtilHttp::setResponseBrowserDefaultSecurityHeaders.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message