andy stevko created CB-9641:
-------------------------------
Summary: Android WebView writing session cookies to sqlite
database
Key: CB-9641
URL: https://issues.apache.org/jira/browse/CB-9641
Project: Apache Cordova
Issue Type: Bug
Components: Android
Affects Versions: 3.5.0
Reporter: andy stevko
Android version 4.4.4
Node version: v0.12.5
Cordova version: 0.21.9
targetting Android 4.4.2
I'm not sure where else would be more appropriate to post this issue.
My cordova application uses a java web service that relies on a session cookie
for authentication. A security audit has detected that cookie's value within
the sqllite database for the application.
/data/data/com.my.app/app_webview/Cookies
This is easily viewable via the app aSQLiteManager on a rooted phone.
A similar ticket has been posted to stackoverflow at
http://stackoverflow.com/questions/28169717/how-to-encrypt-cookies-on-android-apps-using-phonegap-cordova
The security auditors recommend we 'encrypt the cookies' which is kind of
non-sensical because the app has little/no access to the cookies.
As per rfc2161 section 14.9.1, I've tried to prevent the cookie from being
written to storage using the http Cache-Control header without success.
bq. Cache-Control: no-cache="Set-Cookie"
and
bq. Cache-Control: private, no-cache="Set-Cookie", no-cache, no-store,
must-revalidate
There must a way to prevent WebView from writing cookies to storage.
Below is a slightly cleansed packet capture of the request/response that
contains the Set-Cookie and Cache-Control headers.
-------------------------
POST /APP/loginServlet?rand=0.25953230005688965 HTTP/1.1
Host: localhost:8080
Connection: keep-alive
Content-Length: 50
X-PINGOTHER: pingpong
Origin: file://
x-requested-with: XMLHttpRequest
User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9505G Build/KTU84P.S001)
AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile
Safari/537.36
x-http-method-override: POST, GET, PUT, DELETE, OPTIONS, HEAD
Content-Type: application/xml
Accept: */*
Accept-Encoding: gzip,deflate
Accept-Language: en-US
callback=login&username=myusername&password=mypasswordHTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-cache="Set-Cookie"
Set-Cookie: JSESSIONID=ug1XzPoRe62clfreCVEqb6nF; Path=/APP
Set-Cookie: JSESSIONID=LYmvK6p6tnW+DjkSj4fCYx39; Path=/APP
Set-Cookie: JSESSIONID=bKTavVWUrTRvLEX2M1EgBvmO; Path=/APP
Access-Control-Allow-Origin: file://
Access-Control-Allow-Methods: POST, GET, PUT, DELETE, OPTIONS, HEAD
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: SET-COOKIE, Cache-Control, X-PINGOTHER,
x-http-method-override, Content-Type, X-Requested-With
Access-Control-Max-Age: 86400
Allow: GET, HEAD, POST, TRACE, OPTIONS
Pragma: no-cache
Transfer-Encoding: chunked
Date: Thu, 10 Sep 2015 23:43:20 GMT
4c
{"login":"valid"}
0
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
