Uploaded image for project: 'Railo'
  1. Railo
  2. RAILO-3115

Admin password-cookie not secure: use httpOnly and improve encryption

    Details

    • Type: Enhancement
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Duplicate Issue
    • Affects Version/s: 4.2.1.002
    • Fix Version/s: None

      Description

      As described in http://hatriot.github.io/blog/2014/06/25/railo-security-part-one/, the cookie used to store the railo-admin password is not really secure. It can be improved in at least 2 ways:

      • use httpOnly attribute while setting the cookie
      • encrypt the cookie value (the password) with a web-context specific key/salt.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                micstriit Michael Offner
                Reporter:
                frinky Paul Klinkenberg
              • Votes:
                2 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: