Uploaded image for project: 'Camunda Optimize'
  1. Camunda Optimize
  2. OPT-1996

Hamper cookie theft in Optimize

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Done
    • Priority: L3 - Default
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: 2.4.0
    • Component/s: backend
    • Labels:

      Description

      AT:

      • for the Optimize cookie the secure and httponly flags are set
      • the http connector can be disabled
      • the http connector is disabled by default
      • the client side (front-end) does not access the cookies any longer
      • the cookie handling is fully handled on server side
      • the configuration documentation in the technical guide is adjusted to changes in the configuration

      Background:

      • The HTTP-Only Flag prevents JavaScript from accessing the cookies!
      • USE SECURE-Flag for cookies if you use HTTPS
      • The two flags make it a lot harder to steal the cockie and with it the user session
      • http is insecure and allows to record the whole conversation, e.g. steal session ids, username/passwords, if used in an untrusted environment

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            johannes.heinemann Johannes Heinemann
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: