[
https://issues.apache.org/jira/browse/CB-9641?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Joe Bowser resolved CB-9641.
----------------------------
Resolution: Won't Fix
This is a webview issue, and this is technically by design. Once you're on a
rooted phone, all bets are off with securing your app. The Android WebView
stores cookies in the SQLite database. This is outside our control.
I'd report the Cache-Control bug to the Chromium team, since that sounds like a
bug.
> Android WebView writing session cookies to sqlite database
> -----------------------------------------------------------
>
> Key: CB-9641
> URL: https://issues.apache.org/jira/browse/CB-9641
> Project: Apache Cordova
> Issue Type: Bug
> Components: Android
> Affects Versions: 3.5.0
> Reporter: andy stevko
>
> Android version 4.4.4
> Node version: v0.12.5
> Cordova version: 0.21.9
> targetting Android 4.4.2
> I'm not sure where else would be more appropriate to post this issue.
> My cordova application uses a java web service that relies on a session
> cookie for authentication. A security audit has detected that cookie's value
> within the sqllite database for the application.
> /data/data/com.my.app/app_webview/Cookies
> This is easily viewable via the app aSQLiteManager on a rooted phone.
> A similar ticket has been posted to stackoverflow at
> http://stackoverflow.com/questions/28169717/how-to-encrypt-cookies-on-android-apps-using-phonegap-cordova
> The security auditors recommend we 'encrypt the cookies' which is kind of
> non-sensical because the app has little/no access to the cookies.
> As per rfc2161 section 14.9.1, I've tried to prevent the cookie from being
> written to storage using the http Cache-Control header without success.
> bq. Cache-Control: no-cache="Set-Cookie"
> and
> bq. Cache-Control: private, no-cache="Set-Cookie", no-cache, no-store,
> must-revalidate
> There must a way to prevent WebView from writing cookies to storage.
> Below is a slightly cleansed packet capture of the request/response that
> contains the Set-Cookie and Cache-Control headers.
> -------------------------
> POST /APP/loginServlet?rand=0.25953230005688965 HTTP/1.1
> Host: localhost:8080
> Connection: keep-alive
> Content-Length: 50
> X-PINGOTHER: pingpong
> Origin: file://
> x-requested-with: XMLHttpRequest
> User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9505G Build/KTU84P.S001)
> AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile
> Safari/537.36
> x-http-method-override: POST, GET, PUT, DELETE, OPTIONS, HEAD
> Content-Type: application/xml
> Accept: */*
> Accept-Encoding: gzip,deflate
> Accept-Language: en-US
> callback=login&username=myusername&password=mypasswordHTTP/1.1 200 OK
> Server: Apache-Coyote/1.1
> Cache-Control: no-cache="Set-Cookie"
> Set-Cookie: JSESSIONID=ug1XzPoRe62clfreCVEqb6nF; Path=/APP
> Set-Cookie: JSESSIONID=LYmvK6p6tnW+DjkSj4fCYx39; Path=/APP
> Set-Cookie: JSESSIONID=bKTavVWUrTRvLEX2M1EgBvmO; Path=/APP
> Access-Control-Allow-Origin: file://
> Access-Control-Allow-Methods: POST, GET, PUT, DELETE, OPTIONS, HEAD
> Access-Control-Allow-Credentials: true
> Access-Control-Allow-Headers: SET-COOKIE, Cache-Control, X-PINGOTHER,
> x-http-method-override, Content-Type, X-Requested-With
> Access-Control-Max-Age: 86400
> Allow: GET, HEAD, POST, TRACE, OPTIONS
> Pragma: no-cache
> Transfer-Encoding: chunked
> Date: Thu, 10 Sep 2015 23:43:20 GMT
> 4c
> {"login":"valid"}
> 0
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
