XWiki Platform

The cookie encryption keys should be randomly generated

Details

  • Type: Improvement Improvement
  • Status: In Progress In Progress
  • Priority: Critical Critical
  • Resolution: Unresolved
  • Affects Version/s: 1.0 B1
  • Fix Version/s: None
  • Component/s: Build, Infrastructure and Tests
  • Labels:
    None
  • keywords:
    security cookies
  • Development Priority:
    Medium
  • Similar issues:
    XWIKI-5863Switch to cookie encryption using a cipher provided by bouncycastle.
    XWIKI-2259Configurable prefix for authentication cookies
    XWIKI-1655login action should clean all the cookies
    XWIKI-5156Session cookies are not marked as HttpOnly
    XWIKI-2463 Login cookie validation hash mismatch with Tomcat 5.5.20-2etch2
    XWIKI-2211Cannot log in using Internet Explorer
    XWIKI-2206Cookie domains not compliant with RFC 2109
    XWIKI-8909Random Infinispan error on WebSphere

Description

xwiki.cfg has two parameters, xwiki.authentication.validationKey and xwiki.authentication.encryptionKey, responsible for cookie encryption. These two have predefined values which can be used by an attacker to decode the username/password.

It would be better if the installer (.exe, ant or maven) would generate:
1. a random key pair
2. a host-dependent key-pair, different for each host, but always the same for a host

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Ludovic Dubost added a comment -

For the moment this should be documented in the release notes that admins should change them.

Show
Ludovic Dubost added a comment - For the moment this should be documented in the release notes that admins should change them.
Hide
Permalink
Vincent Massol added a comment -

Ludovic: I think they would be better documented in the Admin Guide in the Configuration section

Show
Vincent Massol added a comment - Ludovic: I think they would be better documented in the Admin Guide in the Configuration section
Hide
Permalink
Vincent Massol added a comment -

Documented in http://www.xwiki.org/xwiki/bin/view/AdminGuide/Security

Show
Vincent Massol added a comment - Documented in http://www.xwiki.org/xwiki/bin/view/AdminGuide/Security
Hide
Permalink
Catalin Hritcu added a comment -

Changed priority to Critical since this affects the security of xwiki.

Show
Catalin Hritcu added a comment - Changed priority to Critical since this affects the security of xwiki.
Hide
Permalink
Raffaello Pelagalli added a comment -

key should be auto-generated during xwiki start and should not appear in any configuration file.
It's not a probleme, imo, that people relog after a server restart.

Show
Raffaello Pelagalli added a comment - key should be auto-generated during xwiki start and should not appear in any configuration file. It's not a probleme, imo, that people relog after a server restart.
Hide
Permalink
Vincent Massol added a comment -

It's not a probleme, imo, that people relog after a server restart.

I don't agree. We'll get lots of people asking why they have to log in again even though they have clicked rememberme.

Show
Vincent Massol added a comment - It's not a probleme, imo, that people relog after a server restart. I don't agree. We'll get lots of people asking why they have to log in again even though they have clicked rememberme.

People

  • Assignee:
    Thomas Delafosse
    Reporter:
    Sergiu Dumitriu
Vote (0)
Watch (1)

Dates

  • Created:
    Updated:
    Date of First Response: