Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-542

The cookie encryption keys should be randomly generated

    XMLWordPrintable

Details

    • Improvement
    • Resolution: Unresolved
    • Critical
    • None
    • 1.0 B1
    • Development Issues only
    • None
    • security cookies
    • Medium

    Description

      xwiki.cfg has two parameters, xwiki.authentication.validationKey and xwiki.authentication.encryptionKey, responsible for cookie encryption. These two have predefined values which can be used by an attacker to decode the username/password.

      It would be better if the installer (.exe, ant or maven) would generate:
      1. a random key pair
      2. a host-dependent key-pair, different for each host, but always the same for a host

      Attachments

        Activity

          People

            Unassigned Unassigned
            sdumitriu Sergiu Dumitriu
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: