ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (Jira)" <j...@apache.org>
Subject [jira] [Commented] (OFBIZ-11470) Ensure that the SameSite attribute is set to 'strict' for all cookies.
Date Sat, 21 Mar 2020 11:01:00 GMT

    [ https://issues.apache.org/jira/browse/OFBIZ-11470?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17063854#comment-17063854

ASF subversion and git services commented on OFBIZ-11470:

Commit 16172268977aae2c43f8535d1421fb735d1ccb6d in ofbiz-framework's branch refs/heads/release17.12
from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=1617226 ]

Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.


It's better to allow users to change from strict to lax, at least for all
cookies. Some could want to change it by cookie type. I let the exercise for
them :)

Conflicts handled by hand

> Ensure that the SameSite attribute is set to 'strict' for all cookies.
> ----------------------------------------------------------------------
>                 Key: OFBIZ-11470
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-11470
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: ALL APPLICATIONS
>    Affects Versions: Trunk
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Major
>             Fix For: 18.12.01, 17.12.02
> As reported by OWASP ZAP:
> bq. A cookie has been set without the SameSite attribute, which means that the cookie
can be sent as a result of a 'cross-site' request. The SameSite attribute is an effective
counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks.
> The solution was not obvious in OFBiz for 2 reasons:
> # There is no HttpServletResponse::setHeader. So we need to use a filter (SameSiteFilter)
and even that is not enough because of 2:
> # To prevent session fixation we force Tomcat to generates a new jsessionId, ultimately
put in cookie, in LoginWorker::login. So we need to add a call to SameSiteFilter::addSameSiteCookieAttribute
in UtilHttp::setResponseBrowserDefaultSecurityHeaders.

This message was sent by Atlassian Jira

View raw message