[#XWIKI-542] The cookie encryption keys should be randomly generated

XWiki Core

The cookie encryption keys should be randomly generated

Created: 15/Dec/06 12:43 Updated: Yesterday 19:30

Component/s:

Build, Infrastructure and Tests

Affects Version/s:

1.0 B1

Fix Version/s:

Future

keywords:	security cookies
Date of First Response:	15/Dec/06 13:57
Development Priority:	Medium

Description

« Hide

xwiki.cfg has two parameters, xwiki.authentication.validationKey and xwiki.authentication.encryptionKey, responsible for cookie encryption. These two have predefined values which can be used by an attacker to decode the username/password.

It would be better if the installer (.exe, ant or maven) would generate:
1. a random key pair
2. a host-dependent key-pair, different for each host, but always the same for a host

All

Comments

Change History

Sort Order:

Ascending order - Click to sort in descending order

[ Permlink | « Hide ]

Ludovic Dubost - 15/Dec/06 13:57

For the moment this should be documented in the release notes that admins should change them.

[ Permlink | « Hide ]

Vincent Massol - 16/Dec/06 23:18

Ludovic: I think they would be better documented in the Admin Guide in the Configuration section

[ Permlink | « Hide ]

Vincent Massol - 17/Dec/06 15:01

Documented in http://www.xwiki.org/xwiki/bin/view/AdminGuide/Security

[ Permlink | « Hide ]

Catalin Hritcu - 15/Aug/07 07:21

Changed priority to Critical since this affects the security of xwiki.

[ Permlink | « Hide ]

Raffaello Pelagalli - 23/Jul/08 19:26

key should be auto-generated during xwiki start and should not appear in any configuration file.
It's not a probleme, imo, that people relog after a server restart.

[ Permlink | « Hide ]

Vincent Massol - 23/Jul/08 19:30

It's not a probleme, imo, that people relog after a server restart.

I don't agree. We'll get lots of people asking why they have to log in again even though they have clicked rememberme.