ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (Jira)" <j...@apache.org>
Subject [jira] [Commented] (OFBIZ-11477) Improve Web Content Caching
Date Sat, 04 Apr 2020 16:00:00 GMT

    [ https://issues.apache.org/jira/browse/OFBIZ-11477?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17075188#comment-17075188
] 

ASF subversion and git services commented on OFBIZ-11477:
---------------------------------------------------------

Commit e666c65b7cb210bfeffb35884001775dc08fd3aa in ofbiz-framework's branch refs/heads/trunk
from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=e666c65 ]

Improved: Improve Web Content Caching

(OFBIZ-11477)

According to OWASP OFBiz Web Content Caching is weak:

Independently of the cache policy defined by the web application, if caching web
application contents is allowed, the session IDs must never be cached, so it is
highly recommended to use the Cache-Control: no-cache="Set-Cookie, Set-Cookie2"
directive, to allow web clients to cache everything except the session ID

I though noticed that Set-Cookie2 is deprecated for a long time now. And we new
browsers policies it to often updated. So no need to use Set-Cookie2.


> Improve Web Content Caching
> ---------------------------
>
>                 Key: OFBIZ-11477
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-11477
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: framework
>    Affects Versions: Release Branch 18.12, Release Branch 17.12
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Major
>             Fix For: 18.12.01, 17.12.02
>
>
> According to [OWASP|https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#web-content-caching]
OFBiz Web Content Caching is weak:
> {quote}Even after the session has been closed, it might be possible to access the private
or sensitive data exchanged within the session through the web browser cache. Therefore, web
applications must use restrictive cache directives for all the web traffic exchanged through
HTTP and HTTPS, such as the Cache-Control and Pragma HTTP headers, and/or equivalent META
tags on all or (at least) sensitive web pages.
> {quote}
> {quote}Independently of the cache policy defined by the web application, if caching web
application contents is allowed, the session IDs must never be cached, so it is highly recommended
to use the Cache-Control: no-cache="Set-Cookie, Set-Cookie2" directive, to allow web clients
to cache everything except the session ID (see here).
> {quote}
> I though noticed that Set-Cookie2 is deprecated for a long time now. And the new browsers
policies it to often updated. So no need to use Set-Cookie2.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message