chemistry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Donald Kwakkel (JIRA)" <j...@apache.org>
Subject [jira] [Created] (CMIS-939) Cookie Security: Persistent Cookie is used
Date Mon, 24 Aug 2015 08:19:46 GMT
Donald Kwakkel created CMIS-939:
-----------------------------------

             Summary: Cookie Security: Persistent Cookie is used
                 Key: CMIS-939
                 URL: https://issues.apache.org/jira/browse/CMIS-939
             Project: Chemistry
          Issue Type: Bug
          Components: opencmis-client
    Affects Versions: OpenCMIS 0.13.0
            Reporter: Donald Kwakkel


Storing sensitive data in a persistent cookie can lead to a breach of confidentiality or account
compromise.

Explanation:

Most Web programming environments default to creating non-persistent cookies. These cookies
reside only in browser memory (they are not written to disk) and are lost when the browser
is closed. Programmers can specify that cookies be persisted across browser sessions until
some future date. Such cookies are written to disk and survive across browser sessions and
computer restarts.

If private information is stored in persistent cookies, attackers have a larger time window
in which to steal this data - especially since persistent cookies are often set to expire
in the distant future. Persistent cookies are often used to profile users as they interact
with a site. Depending on what is done with this tracking data, it is possible to use persistent
cookies to violate users' privacy.

In this case setMaxAge() is called in AbstractBrowserServiceCall.java at line 216 with a non-zero
parameter. This max age is also not configurable/possible to disable.




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message