Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.
Bug 275380 - RAP Cookies Not Secured
Summary: RAP Cookies Not Secured
Status: RESOLVED FIXED
Alias: None
Product: RAP
Classification: RT
Component: RWT (show other bugs)
Version: 1.2   Edit
Hardware: All All
: P2 normal (vote)
Target Milestone: 1.2 M7   Edit
Assignee: Project Inbox CLA
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-05-07 17:13 EDT by Austin Riddle CLA
Modified: 2009-05-14 09:24 EDT (History)
0 users

See Also:

Attachments
Patch against 1.2M6 (1.07 KB, patch)
2009-05-07 17:50 EDT, Cole Markham CLA 		no flags Details | Diff
Patch that secures cookie and validates contents upon read (2.44 KB, patch)
2009-05-12 11:50 EDT, Austin Riddle CLA 		rsternberg: iplog+
Details | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Austin Riddle CLA 2009-05-07 17:13:39 EDT 
Build ID: 1.2 M6

Steps To Reproduce:

1. Go to a secured RAP application site (https)
2. Look at locally stored cookie information
3. See that some cookies are not secured even though the RAP application uses SSL.


We are working on a patch.
Comment 1 Cole Markham CLA 2009-05-07 17:50:51 EDT 
Created attachment 134893 [details]
Patch against 1.2M6

This patch checks whether the request is secure and sets the parameter of the cookie accordingly.
Comment 2 Austin Riddle CLA 2009-05-12 11:50:07 EDT 
Created attachment 135386 [details]
Patch that secures cookie and validates contents upon read

Just as a paranoid addendum: 

The method getStoreId() in SettingStoreManager.java includes unvalidated data in an HTTP response header.  The source of the unvalidated data is getStoreIdFromCookie().  This enables attacks such as cache-poisoning,
cross-site scripting, cross-user defacement, page hijacking, cookie manipulation or open redirect.
Comment 3 Ralf Sternberg CLA 2009-05-14 09:24:36 EDT 
Thanks Cole and Austin for pointing out these problems. I applied a modified version of the second patch to CVS.