XWiki Platform
  1. XWiki Platform
  2. XWIKI-542

The cookie encryption keys should be randomly generated

    Details

    • Type: Improvement Improvement
    • Status: In Progress In Progress
    • Priority: Critical Critical
    • Resolution: Unresolved
    • Affects Version/s: 1.0 B1
    • Fix Version/s: None
    • Labels:
      None
    • keywords:
      security cookies
    • Development Priority:
      Medium
    • Similar issues:
      XWIKI-5863Switch to cookie encryption using a cipher provided by bouncycastle.
      XWIKI-2259Configurable prefix for authentication cookies
      XWIKI-1655login action should clean all the cookies
      XWIKI-5156Session cookies are not marked as HttpOnly
      XWIKI-2463 Login cookie validation hash mismatch with Tomcat 5.5.20-2etch2
      XWIKI-2211Cannot log in using Internet Explorer
      XWIKI-9267Object/properties delete events randomly not properly generated
      XWIKI-10328Authentication cookies should be marked as Secure
      XWIKI-8909Random Infinispan error on WebSphere

      Description

      xwiki.cfg has two parameters, xwiki.authentication.validationKey and xwiki.authentication.encryptionKey, responsible for cookie encryption. These two have predefined values which can be used by an attacker to decode the username/password.

      It would be better if the installer (.exe, ant or maven) would generate:
      1. a random key pair
      2. a host-dependent key-pair, different for each host, but always the same for a host

        Activity

        Hide
        Ludovic Dubost added a comment -

        For the moment this should be documented in the release notes that admins should change them.

        Show
        Ludovic Dubost added a comment - For the moment this should be documented in the release notes that admins should change them.
        Hide
        Vincent Massol added a comment -

        Ludovic: I think they would be better documented in the Admin Guide in the Configuration section

        Show
        Vincent Massol added a comment - Ludovic: I think they would be better documented in the Admin Guide in the Configuration section
        Show
        Vincent Massol added a comment - Documented in http://www.xwiki.org/xwiki/bin/view/AdminGuide/Security
        Hide
        Catalin Hritcu added a comment -

        Changed priority to Critical since this affects the security of xwiki.

        Show
        Catalin Hritcu added a comment - Changed priority to Critical since this affects the security of xwiki.
        Hide
        Raffaello Pelagalli added a comment -

        key should be auto-generated during xwiki start and should not appear in any configuration file.
        It's not a probleme, imo, that people relog after a server restart.

        Show
        Raffaello Pelagalli added a comment - key should be auto-generated during xwiki start and should not appear in any configuration file. It's not a probleme, imo, that people relog after a server restart.
        Hide
        Vincent Massol added a comment -

        It's not a probleme, imo, that people relog after a server restart.

        I don't agree. We'll get lots of people asking why they have to log in again even though they have clicked rememberme.

        Show
        Vincent Massol added a comment - It's not a probleme, imo, that people relog after a server restart. I don't agree. We'll get lots of people asking why they have to log in again even though they have clicked rememberme.

          People

          • Assignee:
            Thomas Delafosse
            Reporter:
            Sergiu Dumitriu
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Date of First Response: