XWiki Platform
  1. XWiki Platform
  2. XWIKI-542

The cookie encryption keys should be randomly generated

    Details

    • Type: Improvement Improvement
    • Status: In Progress In Progress
    • Priority: Critical Critical
    • Resolution: Unresolved
    • Affects Version/s: 1.0 B1
    • Fix Version/s: None
    • Labels:
      None
    • keywords:
      security cookies
    • Development Priority:
      Medium
    • Similar issues:

      Description

      xwiki.cfg has two parameters, xwiki.authentication.validationKey and xwiki.authentication.encryptionKey, responsible for cookie encryption. These two have predefined values which can be used by an attacker to decode the username/password.

      It would be better if the installer (.exe, ant or maven) would generate:
      1. a random key pair
      2. a host-dependent key-pair, different for each host, but always the same for a host

        Activity

        Hide
        Ludovic Dubost added a comment -

        For the moment this should be documented in the release notes that admins should change them.

        Show
        Ludovic Dubost added a comment - For the moment this should be documented in the release notes that admins should change them.
        Hide
        Vincent Massol added a comment -

        Ludovic: I think they would be better documented in the Admin Guide in the Configuration section

        Show
        Vincent Massol added a comment - Ludovic: I think they would be better documented in the Admin Guide in the Configuration section
        Show
        Vincent Massol added a comment - Documented in http://www.xwiki.org/xwiki/bin/view/AdminGuide/Security
        Hide
        Catalin Hritcu added a comment -

        Changed priority to Critical since this affects the security of xwiki.

        Show
        Catalin Hritcu added a comment - Changed priority to Critical since this affects the security of xwiki.
        Hide
        Raffaello Pelagalli added a comment -

        key should be auto-generated during xwiki start and should not appear in any configuration file.
        It's not a probleme, imo, that people relog after a server restart.

        Show
        Raffaello Pelagalli added a comment - key should be auto-generated during xwiki start and should not appear in any configuration file. It's not a probleme, imo, that people relog after a server restart.
        Hide
        Vincent Massol added a comment -

        It's not a probleme, imo, that people relog after a server restart.

        I don't agree. We'll get lots of people asking why they have to log in again even though they have clicked rememberme.

        Show
        Vincent Massol added a comment - It's not a probleme, imo, that people relog after a server restart. I don't agree. We'll get lots of people asking why they have to log in again even though they have clicked rememberme.

          People

          • Assignee:
            Thomas Delafosse
            Reporter:
            Sergiu Dumitriu
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Date of First Response: