Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't add JSESSIONID in url and set HttpOnly flag. Fixes #3094 #3099

Merged
merged 1 commit into from Sep 21, 2018
Merged

Don't add JSESSIONID in url and set HttpOnly flag. Fixes #3094 #3099

merged 1 commit into from Sep 21, 2018

Conversation

josegar74
Copy link
Member

No description provided.

@josegar74 josegar74 added this to the 3.6.0 milestone Sep 14, 2018
juanluisrp
juanluisrp reviewed Sep 18, 2018
View reviewed changes
Copy link
Contributor

@juanluisrp juanluisrp left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested. GN doesn't append the session id to the URL. However, the cookie JSESSIONID is stored without httpOnly flag allowing scripts to access its value and could be retrieved by an attacker in case of XSS.
https://www.owasp.org/index.php/HttpOnly#Using_Java_to_Set_HttpOnly

@josegar74 josegar74 changed the title Don't add JSESSION in url. Fixes #3094 Don't add JSESSIONID in url and set HttpOnly flag. Fixes #3094 Sep 18, 2018
@josegar74
Copy link
Member Author

Added httpOnly flag also.

@josegar74 josegar74 merged commit 3cf2f23 into geonetwork:master Sep 21, 2018
fxprunayre pushed a commit to fxprunayre/core-geonetwork that referenced this pull request Feb 15, 2019
@josegar74 @jahow
Don't add JSESSIONID in url and set HttpOnly flag geonetwork#3094 (ge…
9ca92a4 
…onetwork#3099)
@juanluisrp juanluisrp mentioned this pull request Mar 13, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@juanluisrp juanluisrp juanluisrp approved these changes

@fxprunayre fxprunayre Awaiting requested review from fxprunayre

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
3.6.0
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@josegar74 @juanluisrp