Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-542

The cookie encryption keys should be randomly generated

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Critical
    • Resolution: Unresolved
    • Affects Version/s: 1.0 B1
    • Fix Version/s: None
    • Labels:
      None
    • keywords:
      security cookies
    • Development Priority:
      Medium
    • Similar issues:

      Description

      xwiki.cfg has two parameters, xwiki.authentication.validationKey and xwiki.authentication.encryptionKey, responsible for cookie encryption. These two have predefined values which can be used by an attacker to decode the username/password.

      It would be better if the installer (.exe, ant or maven) would generate:
      1. a random key pair
      2. a host-dependent key-pair, different for each host, but always the same for a host

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              sdumitriu Sergiu Dumitriu
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Date of First Response: