Frein, Did you check David's suggestion?
Jacques From: "Frein Mccain" <frein.mcc...@gmail.com> Jacques, I am using 9.04 release. On Mon, Dec 6, 2010 at 11:45 PM, Jacques Le Roux < jacques.le.r...@les7arts.com> wrote:
Which release.revision have you used? Jacques From: "Frein Mccain" <frein.mcc...@gmail.com> I've developed an application on OFBiz and found some security issues during testing. Here are the list : *A. Information Leakage through persistent cookies : The web application stores sensitive session information in a permanent cookie (on disk)* ** *Impact of this issue :* ** • This information may be compromised or used for identity theft or user impersonation. • The account information may be stolen and used later by a malicious user. I've checked the Set-Cookie header, and found that the session id cookie has a future expiration date. So, my question is that why OFBiz stores sensitive information in persistent cookies instead of non-permanent cookie(RAM cookies) only and how to fix it. ** *B* *Sensitive Cookie in HTTPS Session Without 'Secure' Attribute : The Secure attribute for sensitive cookies in HTTPS sessions is not set* ** *Impact:* ** • It is possible to move the ability to enforce the cookie logic to the client-side (the browser). This could allow an attacker to send cookies he/she is not authorized to send. I've checked the the Set-Cookie header, and found that the "secure" attribute is missing. Is there any property file where I can set that "secure" attribute for the cookie. Cheers, Frein
