Jacques Le Roux closed OFBIZ-11470.
    Fix Version/s: 17.12.02
       Resolution: Fixed

Here more information about the SameSite attribute from [OWASP Cross-Site 
Request Forgery (CSRF) Prevention Cheat 

bq. All desktop browsers and almost all mobile browsers now support the 
SameSite attribute. To keep track of the browsers implementing it and the usage 
of the attribute, refer to the following service. Note that Chrome has 
announced that they will mark cookies as SameSite=Lax by default from Chrome 80 
(due in February 2020), and Firefox and Edge are both planning to follow suit. 
Additionally, the Secure flag will be required for cookies that are marked as 

bq. It is important to note that this attribute should be implemented as an 
additional layer defense in depth concept. This attribute protects the user 
through the browsers supporting it, and it contains as well 2 ways to bypass it 
as mentioned in the following section. This attribute should not replace having 
a CSRF Token. Instead, it should co-exist with that token in order to protect 
the user in a more robust way.

> Ensure that the SameSite attribute is set to 'strict' for all cookies.
> ----------------------------------------------------------------------
>                 Key: OFBIZ-11470
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-11470
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: ALL APPLICATIONS
>    Affects Versions: Trunk
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Major
>             Fix For: 18.12.01, 17.12.02
> As reported by OWASP ZAP:
> bq. A cookie has been set without the SameSite attribute, which means that 
> the cookie can be sent as a result of a 'cross-site' request. The SameSite 
> attribute is an effective counter measure to cross-site request forgery, 
> cross-site script inclusion, and timing attacks.
> The solution was not obvious in OFBiz for 2 reasons:
> # There is no HttpServletResponse::setHeader. So we need to use a filter 
> (SameSiteFilter) and even that is not enough because of 2:
> # To prevent session fixation we force Tomcat to generates a new jsessionId, 
> ultimately put in cookie, in LoginWorker::login. So we need to add a call to 
> SameSiteFilter::addSameSiteCookieAttribute in 
> UtilHttp::setResponseBrowserDefaultSecurityHeaders.

This message was sent by Atlassian Jira

Reply via email to