ASF subversion and git services commented on OFBIZ-11470:

Commit d08a0527c465642da43ff4d8d0e9876cf8b697f6 in ofbiz-framework's branch 
refs/heads/release18.12 from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=d08a052 ]

Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.


It's better to allow users to change from strict to lax, at least for all
cookies. Some could want to change it by cookie type. I let the exercise for
them :)

> Ensure that the SameSite attribute is set to 'strict' for all cookies.
> ----------------------------------------------------------------------
>                 Key: OFBIZ-11470
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-11470
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: ALL APPLICATIONS
>    Affects Versions: Trunk
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Major
>             Fix For: 18.12.01, 17.12.02
> As reported by OWASP ZAP:
> bq. A cookie has been set without the SameSite attribute, which means that 
> the cookie can be sent as a result of a 'cross-site' request. The SameSite 
> attribute is an effective counter measure to cross-site request forgery, 
> cross-site script inclusion, and timing attacks.
> The solution was not obvious in OFBiz for 2 reasons:
> # There is no HttpServletResponse::setHeader. So we need to use a filter 
> (SameSiteFilter) and even that is not enough because of 2:
> # To prevent session fixation we force Tomcat to generates a new jsessionId, 
> ultimately put in cookie, in LoginWorker::login. So we need to add a call to 
> SameSiteFilter::addSameSiteCookieAttribute in 
> UtilHttp::setResponseBrowserDefaultSecurityHeaders.

This message was sent by Atlassian Jira

Reply via email to