Github user rsafonseca commented on the pull request:
https://github.com/apache/cloudstack/pull/308#issuecomment-105861689
I see that in the parent commit Jessica tried to fix security on the cookie
by setting httponly=true in tomcat's context .xml
This would be a sane thing to do, if the sessionkey cookie was actually
handled by tomcat, which is not.
This cookie only existed on client side, and was created by .js, so it's
not possible to set httponly on that.
This approach does not add any extra security, since the data is still
stored in a .js variable and accessible to scripts, only the location of the
data has changed, but this not confer extra security.
Basically, all this did was break the functionality and remove 1 of the 2
places where the sessionkey was accessible through javascript.
My new proposal is to actually get httponly cookie working, which thwarts
most kinds of XSS attacks.
This is done by making the server handle the cookie (not the client).
The only thing i didn't fix was the same security hole being created by the
SAML login (cookie with sessionkey data is created in browser), since i didn't
have it setup to test. These changes shouldn't break it though, it will just
keep the same insecure behaviour.
Have a look at my proposed changes :)
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
