[
https://issues.apache.org/jira/browse/OFBIZ-11477?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux closed OFBIZ-11477.
-----------------------------------
Fix Version/s: 17.12.02
18.12.01
Resolution: Implemented
> Improve Web Content Caching
> ---------------------------
>
> Key: OFBIZ-11477
> URL: https://issues.apache.org/jira/browse/OFBIZ-11477
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework
> Affects Versions: Release Branch 18.12, Release Branch 17.12
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Major
> Fix For: 18.12.01, 17.12.02
>
>
> According to
> [OWASP|https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#web-content-caching]
> OFBiz Web Content Caching is weak:
> {quote}Even after the session has been closed, it might be possible to access
> the private or sensitive data exchanged within the session through the web
> browser cache. Therefore, web applications must use restrictive cache
> directives for all the web traffic exchanged through HTTP and HTTPS, such as
> the Cache-Control and Pragma HTTP headers, and/or equivalent META tags on all
> or (at least) sensitive web pages.
> {quote}
> {quote}Independently of the cache policy defined by the web application, if
> caching web application contents is allowed, the session IDs must never be
> cached, so it is highly recommended to use the Cache-Control:
> no-cache="Set-Cookie, Set-Cookie2" directive, to allow web clients to cache
> everything except the session ID (see here).
> {quote}
> I though noticed that Set-Cookie2 is deprecated for a long time now. And the
> new browsers policies it to often updated. So no need to use Set-Cookie2.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
