[CWD-1848] crowd.token_key cookie should be HttpOnly

Type: Bug
Resolution: Duplicate
Priority: Low
Fix Version/s: 2.2 Iteration 2, 2.2
Affects Version/s: 2.0
Component/s: Authentication / Security
Labels:
- must
Environment:

Crowd 2.0.0 (Build:#406 - Jul 29, 2009)
Sun Java 1.6.0_16, JVM 14.2-b01

Bug Fix Policy:
View Atlassian Server bug fix policy

Set-up is something like this:

SSO domain is .example.com
Crowd-authenticated sites are {wiki,bugs,crowd}.example.com
Additionally, webdav.example.com allows users to easily make test websites

Even though webdav.example.com is configured to only allow static content, JavaScript can still steal cookies (tested with <script>document.write(document.cookie)</script>).

Admittedly, the "correct" fix is to stick "trusted" content under a different subdomain (.secure.example.com) but that gets messy. Additionally, it's perfectly feasible to make webdav.example.com Crowd-authenticated but not wish for embedded JS to read the same cookies (this can be fixed by making webdav.example.com serve application/octet-stream, Content-Disposition: attachment and moving the "normal" server to webdav.example.net, but that's even messier).

is duplicated by

CWD-1874 Make Crowd token cookies httponly

Closed

Piyawoot Songsiritat [Atlassian] added a comment - 07/Jan/2011 12:31 AM

Fixed in CWD-1948

Piyawoot Songsiritat [Atlassian] added a comment - 07/Jan/2011 12:31 AM Fixed in CWD-1948

Assignee:: Piyawoot Songsiritat [Atlassian]

Reporter:: T Chan

Affected customers:: 2 This affects my team

Watchers:: 1 Start watching this issue

Created:: 12/Mar/2010 3:00 PM

Updated:: 15/Aug/2019 7:06 AM

Resolved:: 07/Jan/2011 12:31 AM

Details

Description

Attachments

Issue Links

Forms

Activity

Collapse comment: Piyawoot Songsiritat [Atlassian] added a comment - 07/Jan/2011 12:31 AM

Expand comment: Piyawoot Songsiritat [Atlassian] added a comment - 07/Jan/2011 12:31 AM

People

Dates