chemistry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Donald Kwakkel (JIRA)" <>
Subject [jira] [Commented] (CMIS-939) Cookie Security: Persistent Cookie is used
Date Mon, 24 Aug 2015 08:22:45 GMT


Donald Kwakkel commented on CMIS-939:

Just found out it is a transaction and not authentication cookie, so closing this ticket.

> Cookie Security: Persistent Cookie is used
> ------------------------------------------
>                 Key: CMIS-939
>                 URL:
>             Project: Chemistry
>          Issue Type: Bug
>          Components: opencmis-client
>    Affects Versions: OpenCMIS 0.13.0
>            Reporter: Donald Kwakkel
> Storing sensitive data in a persistent cookie can lead to a breach of confidentiality
or account compromise.
> Explanation:
> Most Web programming environments default to creating non-persistent cookies. These cookies
reside only in browser memory (they are not written to disk) and are lost when the browser
is closed. Programmers can specify that cookies be persisted across browser sessions until
some future date. Such cookies are written to disk and survive across browser sessions and
computer restarts.
> If private information is stored in persistent cookies, attackers have a larger time
window in which to steal this data - especially since persistent cookies are often set to
expire in the distant future. Persistent cookies are often used to profile users as they interact
with a site. Depending on what is done with this tracking data, it is possible to use persistent
cookies to violate users' privacy.
> In this case setMaxAge() is called in at line 216 with
a non-zero parameter. This max age is also not configurable/possible to disable.

This message was sent by Atlassian JIRA

View raw message