Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-542

The cookie encryption keys should be randomly generated

          Details

          • Type: Improvement
          • Status: Open
          • Priority: Critical
          • Resolution: Unresolved
          • Affects Version/s: 1.0 B1
          • Fix Version/s: None
          • Component/s: Development Issues only
          • Labels:
            None
          • keywords:
            security cookies
          • Development Priority:
            Medium
          • Similar issues:

            Description

            xwiki.cfg has two parameters, xwiki.authentication.validationKey and xwiki.authentication.encryptionKey, responsible for cookie encryption. These two have predefined values which can be used by an attacker to decode the username/password.

            It would be better if the installer (.exe, ant or maven) would generate:
            1. a random key pair
            2. a host-dependent key-pair, different for each host, but always the same for a host

              Attachments

                Activity

                  People

                  • Assignee:
                    Unassigned
                    Reporter:
                    sdumitriu Sergiu Dumitriu
                  • Votes:
                    0 Vote for this issue
                    Watchers:
                    1 Start watching this issue

                    Dates

                    • Created:
                      Updated:
                      Date of First Response: