[
https://issues.apache.org/jira/browse/OFBIZ-11477?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux updated OFBIZ-11477:
------------------------------------
Description:
According to
[OWASP|https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#web-content-caching]
OFBiz Web Content Caching is weak:
{quote}Even after the session has been closed, it might be possible to access
the private or sensitive data exchanged within the session through the web
browser cache. Therefore, web applications must use restrictive cache
directives for all the web traffic exchanged through HTTP and HTTPS, such as
the Cache-Control and Pragma HTTP headers, and/or equivalent META tags on all
or (at least) sensitive web pages.
{quote}
{quote}Independently of the cache policy defined by the web application, if
caching web application contents is allowed, the session IDs must never be
cached, so it is highly recommended to use the Cache-Control:
no-cache="Set-Cookie, Set-Cookie2" directive, to allow web clients to cache
everything except the session ID (see here).
{quote}
I though noticed that Set-Cookie2 is deprecated for a long time now. And the
new browsers policies it to often updated. So no need to use Set-Cookie2.
was:
According to
[OWASP|https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#web-content-caching]
OFBiz Web Content Caching is weak:
bq. Even after the session has been closed, it might be possible to access the
private or sensitive data exchanged within the session through the web browser
cache. Therefore, web applications must use restrictive cache directives for
all the web traffic exchanged through HTTP and HTTPS, such as the Cache-Control
and Pragma HTTP headers, and/or equivalent META tags on all or (at least)
sensitive web pages.
bq. Independently of the cache policy defined by the web application, if
caching web application contents is allowed, the session IDs must never be
cached, so it is highly recommended to use the Cache-Control:
no-cache="Set-Cookie, Set-Cookie2" directive, to allow web clients to cache
everything except the session ID (see here).
I though noticed that Set-Cookie2 is deprecated for a long time now. And we new
browsers policies it to often updated. So no need to use Set-Cookie2.
> Improve Web Content Caching
> ---------------------------
>
> Key: OFBIZ-11477
> URL: https://issues.apache.org/jira/browse/OFBIZ-11477
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework
> Affects Versions: Release Branch 18.12, Release Branch 17.12
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Major
>
> According to
> [OWASP|https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#web-content-caching]
> OFBiz Web Content Caching is weak:
> {quote}Even after the session has been closed, it might be possible to access
> the private or sensitive data exchanged within the session through the web
> browser cache. Therefore, web applications must use restrictive cache
> directives for all the web traffic exchanged through HTTP and HTTPS, such as
> the Cache-Control and Pragma HTTP headers, and/or equivalent META tags on all
> or (at least) sensitive web pages.
> {quote}
> {quote}Independently of the cache policy defined by the web application, if
> caching web application contents is allowed, the session IDs must never be
> cached, so it is highly recommended to use the Cache-Control:
> no-cache="Set-Cookie, Set-Cookie2" directive, to allow web clients to cache
> everything except the session ID (see here).
> {quote}
> I though noticed that Set-Cookie2 is deprecated for a long time now. And the
> new browsers policies it to often updated. So no need to use Set-Cookie2.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
