ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (Jira)" <j...@apache.org>
Subject [jira] [Commented] (OFBIZ-11470) Ensure that the SameSite attribute is set to 'strict' for all cookies.
Date Sat, 21 Mar 2020 11:01:00 GMT

    [ https://issues.apache.org/jira/browse/OFBIZ-11470?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17063855#comment-17063855

ASF subversion and git services commented on OFBIZ-11470:

Commit d08a0527c465642da43ff4d8d0e9876cf8b697f6 in ofbiz-framework's branch refs/heads/release18.12
from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=d08a052 ]

Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.


It's better to allow users to change from strict to lax, at least for all
cookies. Some could want to change it by cookie type. I let the exercise for
them :)

> Ensure that the SameSite attribute is set to 'strict' for all cookies.
> ----------------------------------------------------------------------
>                 Key: OFBIZ-11470
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-11470
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: ALL APPLICATIONS
>    Affects Versions: Trunk
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Major
>             Fix For: 18.12.01, 17.12.02
> As reported by OWASP ZAP:
> bq. A cookie has been set without the SameSite attribute, which means that the cookie
can be sent as a result of a 'cross-site' request. The SameSite attribute is an effective
counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks.
> The solution was not obvious in OFBiz for 2 reasons:
> # There is no HttpServletResponse::setHeader. So we need to use a filter (SameSiteFilter)
and even that is not enough because of 2:
> # To prevent session fixation we force Tomcat to generates a new jsessionId, ultimately
put in cookie, in LoginWorker::login. So we need to add a call to SameSiteFilter::addSameSiteCookieAttribute
in UtilHttp::setResponseBrowserDefaultSecurityHeaders.

This message was sent by Atlassian Jira

View raw message