I've raised and just committed ISIS-920; will be part of 1.7.0; add: isis.viewer.wicket.clearOriginalDestination=true
to isis.properties (or viewer_wicket.properties). (As noted elsewhere, 1.7.0 will run on JDK 1.6). Thx Dan ~~~~~~~~~~~~~ On 15 September 2014 03:17, Christopher Fairhall < [email protected]> wrote: > Another issue our security audit picked up is when you request a > bookmarkable (and perhaps others?) URL when you're logged out, that request > gets stored in the HTTP session (this is an assumption based on how it > appears to work). > > When you then log in using the same session id, the user is taken to the > previous page. > > This may look like a convenient feature for users with minimal security > impact - since it only changes the first page a user see and does not > directly execute or change anything - when combined with cross site > scripting vulnerabilities such as ISIS-884, it means an attacker can > "preload" a malicious URL in a victims session while they're logged out of > the system, and if they log in before their session expires the malicious > payload is executed. > > It means training your users not to browse the internet while they're > logged in to the application is no longer an effective XSS mitigation. > > Is there a way to turn this feature off? > Would there be any adverse effects of writing a servlet filter to destroy > and recreate the http session before the login page is displayed? > > ------------------------------- > This email and any attachments may contain information that is > confidential and subject to legal privilege. If you are not the intended > recipient, any use, dissemination, distribution or duplication of this > email and attachments is prohibited. If you have received this email in > error please notify the author immediately and erase all copies of the > email and attachments. The Ministry of Social Development accepts no > responsibility for changes made to this message or attachments after > transmission from the Ministry. > > ------------------------------- >
