Uploaded image for project: 'Crowd Data Center'
  1. Crowd Data Center
  2. CWD-1848

crowd.token_key cookie should be HttpOnly

    XMLWordPrintable

Details

    • Bug
    • Resolution: Duplicate
    • Low
    • 2.2 Iteration 2, 2.2
    • 2.0
    • Authentication / Security

    • Crowd 2.0.0 (Build:#406 - Jul 29, 2009)
      Sun Java 1.6.0_16, JVM 14.2-b01

    Description

      Like FE-899

      Set-up is something like this:

      • SSO domain is .example.com
      • Crowd-authenticated sites are {wiki,bugs,crowd}.example.com
      • Additionally, webdav.example.com allows users to easily make test websites

      Even though webdav.example.com is configured to only allow static content, JavaScript can still steal cookies (tested with <script>document.write(document.cookie)</script>).

      Admittedly, the "correct" fix is to stick "trusted" content under a different subdomain (.secure.example.com) but that gets messy. Additionally, it's perfectly feasible to make webdav.example.com Crowd-authenticated but not wish for embedded JS to read the same cookies (this can be fixed by making webdav.example.com serve application/octet-stream, Content-Disposition: attachment and moving the "normal" server to webdav.example.net, but that's even messier).

      Attachments

        Issue Links

          is duplicated by

          Suggestion - CWD-1874 Make Crowd token cookies httponly

          • Closed

          Activity

            People

              psongsiritat Piyawoot Songsiritat [Atlassian]
              0b1305f102cb T Chan
              Votes:
              2 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: