Details
-
Type:
Improvement
-
Status: Open
-
Priority:
Critical
-
Resolution: Unresolved
-
Affects Version/s: 1.0 B1
-
Fix Version/s: None
-
Component/s: Development Issues only
-
Labels:None
-
keywords:security cookies
-
Development Priority:Medium
-
Similar issues:
Description
xwiki.cfg has two parameters, xwiki.authentication.validationKey and xwiki.authentication.encryptionKey, responsible for cookie encryption. These two have predefined values which can be used by an attacker to decode the username/password.
It would be better if the installer (.exe, ant or maven) would generate:
1. a random key pair
2. a host-dependent key-pair, different for each host, but always the same for a host