You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "Jacques Le Roux (Jira)" <ji...@apache.org> on 2020/03/20 17:01:00 UTC

[jira] [Closed] (OFBIZ-11470) Ensure that the SameSite attribute is set to 'strict' for all cookies.

     [ https://issues.apache.org/jira/browse/OFBIZ-11470?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacques Le Roux closed OFBIZ-11470.
-----------------------------------
    Fix Version/s: 17.12.02
                   18.12.01
       Resolution: Fixed

Here more information about the SameSite attribute from [OWASP Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet:|https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#samesite-cookie-attribute]

bq. All desktop browsers and almost all mobile browsers now support the SameSite attribute. To keep track of the browsers implementing it and the usage of the attribute, refer to the following service. Note that Chrome has announced that they will mark cookies as SameSite=Lax by default from Chrome 80 (due in February 2020), and Firefox and Edge are both planning to follow suit. Additionally, the Secure flag will be required for cookies that are marked as SameSite=None.


bq. It is important to note that this attribute should be implemented as an additional layer defense in depth concept. This attribute protects the user through the browsers supporting it, and it contains as well 2 ways to bypass it as mentioned in the following section. This attribute should not replace having a CSRF Token. Instead, it should co-exist with that token in order to protect the user in a more robust way.

> Ensure that the SameSite attribute is set to 'strict' for all cookies.
> ----------------------------------------------------------------------
>
>                 Key: OFBIZ-11470
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-11470
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: ALL APPLICATIONS
>    Affects Versions: Trunk
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Major
>             Fix For: 18.12.01, 17.12.02
>
>
> As reported by OWASP ZAP:
> bq. A cookie has been set without the SameSite attribute, which means that the cookie can be sent as a result of a 'cross-site' request. The SameSite attribute is an effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks.
> The solution was not obvious in OFBiz for 2 reasons:
> # There is no HttpServletResponse::setHeader. So we need to use a filter (SameSiteFilter) and even that is not enough because of 2:
> # To prevent session fixation we force Tomcat to generates a new jsessionId, ultimately put in cookie, in LoginWorker::login. So we need to add a call to SameSiteFilter::addSameSiteCookieAttribute in UtilHttp::setResponseBrowserDefaultSecurityHeaders.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)