Which cookie(s) are you looking at that caused these alarms? This may or may not be OFBiz related. For example Tomcat (or whatever servlet container you are using) manages the session cookies.
-David On Dec 6, 2010, at 8:41 AM, Frein Mccain wrote: > I've developed an application on OFBiz and found some security issues during > testing. Here are the list : > > *A. Information Leakage through persistent cookies : The web application > stores sensitive session information in a permanent cookie (on disk)* > ** > *Impact of this issue :* > ** > • This information may be compromised or used for identity theft or user > impersonation. > • The account information may be stolen and used later by a malicious user. > > I've checked the Set-Cookie header, and found that the session id cookie has > a future expiration date. > So, my question is that why OFBiz stores sensitive information in persistent > cookies instead of non-permanent cookie(RAM cookies) only and how to fix it. > ** > *B* *Sensitive Cookie in HTTPS Session Without 'Secure' Attribute : The > Secure attribute for sensitive cookies in HTTPS sessions is not set* > ** > *Impact:* > ** > • It is possible to move the ability to enforce the cookie logic to the > client-side (the browser). This could allow an attacker to send cookies > he/she is > not authorized to send. > > I've checked the the Set-Cookie header, and found that the "secure" > attribute is missing. > > Is there any property file where I can set that "secure" attribute for the > cookie. > > > Cheers, > Frein
