Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 571222

Summary: Increase the cid length
Product: [RT] RAP Reporter: Yuan Li <yuan.li>
Component: RWTAssignee: Project Inbox <rap-inbox>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: P3 CC: bugs.eclipse.org, ivan, mknauer
Version: 3.7   
Target Milestone: 3.16 M3   
Hardware: All   
OS: All   
See Also: https://git.eclipse.org/r/c/rap/org.eclipse.rap/+/176314
https://git.eclipse.org/c/rap/org.eclipse.rap.git/commit/?id=f91139d03f49ed0eeca999d03375d37ce7ae2d58
Whiteboard:

Description Yuan Li CLA 2021-02-16 03:21:16 EST 
The cid length is not safe enough so please increase the lenghth.
Comment 1 Rockhopper CLA 2021-02-16 03:53:25 EST 
Let me clarify the request.

In context of, 

https://bugs.eclipse.org/bugs/show_bug.cgi?id=413668

the cid is used as anti-csrf token.

On 2015-03-20, a fix has been done:

"To avoid CSRF vulnerability it's recomended to use synchronizer token.
We could use connection id (cid) as synchronizer token, but we need to
generate it on the server, not on the client."

But one of our customer is telling us that 'cid' is too short to be a valid  Anti-CSRF-Token.

They are suggesting to increase length at least to 128 bits.

https://owasp.org/www-community/vulnerabilities/Insufficient_Session-ID_Length
Comment 2 Eclipse Genie CLA 2021-02-16 04:03:48 EST 
New Gerrit change created: https://git.eclipse.org/r/c/rap/org.eclipse.rap/+/176314
Comment 3 Yuan Li CLA 2021-02-16 12:32:06 EST 
Additional note, as far we can see on Eclipse Demo, the cid length has not been increased in the latest RAP version.
Comment 4 Ivan Furnadjiev CLA 2021-02-16 12:37:38 EST 
This change is not merged yet. Pending review.
Comment 6 Markus Knauer CLA 2021-02-18 08:55:11 EST 
Please note that this change will be part of M3 end of next week.

The RAP online demo applications will be updated as part of the final release only.