make CSRF cookie secure #485

bradcupit · 2014-05-09T01:17:14Z

See original discussion on the GWTP mailing list.

GWTP's CSRF protection sets a cookie whose value is either the JSESSIONID (see HttpSessionSecurityCookieFilter) or a random number (see RandomSecurityCookieFilter).

This works since attackers can't see cookies in CSRF attacks. However, if the attacker can sniff requests then they can see the cookie value, so it would be nice to mark the cookie secure to prevent sniffing.

Right now there's no easy way to mark either HttpSessionSecurityCookieFilter or RandomSecurityCookieFilter's cookies secure. Two different ideas:

make this configurable via Guice/Spring, or
quick and dirty: detect if the request is secure and if so, make the cookie secure:

if (request.isSecure()) {
  cookie.setSecure(true);
}

christiangoudreau · 2014-08-03T20:46:09Z

Sorry for the late acknowledgement, seems fair and useful!

christiangoudreau added this to the 1.4 Release milestone Aug 3, 2014

christiangoudreau assigned Chris-V Aug 3, 2014

bmorris591 mentioned this issue Oct 1, 2014

Feature request: SecurityCookieAccessor async #587

Open

meriouma modified the milestones: 1.4 Release, 1.5 Release Jan 24, 2015

Chris-V removed this from the 1.5 Release milestone Sep 14, 2015

olafleur added the Suggestion label Sep 14, 2015

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

make CSRF cookie secure #485

make CSRF cookie secure #485

bradcupit commented May 9, 2014

christiangoudreau commented Aug 3, 2014

make CSRF cookie secure #485

make CSRF cookie secure #485

Comments

bradcupit commented May 9, 2014

christiangoudreau commented Aug 3, 2014