Jacques, I am using 9.04 release.
On Mon, Dec 6, 2010 at 11:45 PM, Jacques Le Roux < [email protected]> wrote: > Which release.revision have you used? > > Jacques > > From: "Frein Mccain" <[email protected]> > > I've developed an application on OFBiz and found some security issues > during > testing. Here are the list : > > *A. Information Leakage through persistent cookies : The web application > stores sensitive session information in a permanent cookie (on disk)* > ** > *Impact of this issue :* > ** > • This information may be compromised or used for identity theft or user > impersonation. > • The account information may be stolen and used later by a malicious user. > > I've checked the Set-Cookie header, and found that the session id cookie > has > a future expiration date. > So, my question is that why OFBiz stores sensitive information in > persistent > cookies instead of non-permanent cookie(RAM cookies) only and how to fix > it. > ** > *B* *Sensitive Cookie in HTTPS Session Without 'Secure' Attribute : The > Secure attribute for sensitive cookies in HTTPS sessions is not set* > ** > *Impact:* > ** > • It is possible to move the ability to enforce the cookie logic to the > client-side (the browser). This could allow an attacker to send cookies > he/she is > not authorized to send. > > I've checked the the Set-Cookie header, and found that the "secure" > attribute is missing. > > Is there any property file where I can set that "secure" attribute for the > cookie. > > > Cheers, > Frein > > >
