Deprecate current HttpUtilities.setRememberToken() and replace with one not requiring user password #316
Comments
|
@kwwall, is there a way we can "assign" this issue to me? I'm willing to make this improvement. |
|
@xeno6696 Matt - Go for it. Generally we have people either submit a pull request or attach a patch which one of us first reviews before we give someone commit access. That doesn't mean we doubt your mad skillz, but that's just been our practice because before we started that in Google Code we had (at one point) maybe a dozen people who had commit access but never submitted any code. Unfortunately, I don't think I can officially assign this issue to you until you get added to this project on GitHub as having commit access. (Well, let me put it this way, I tried and I was unable to assign it to your user id, so I'm speculating that is the reason why.) |
|
@kwwall do we want to just deprecate the old method and create a new one, or do we want to nukey nukey? |
|
The unit test for setRememberToken is actually partially commented out. We never test it due to some dependency where the cookie is set via setSafeHeader. I don't know why that makes it untestable. |
|
@kwwall , I had to use a bit of reflection but I have a passing unit test for the replacement. So, how did ESAPI typically test something like Cookies in an "integration-like" environment? Our new cookie certainly gets set in the mock response, but before I push I wanted your input. |
…r one that doesn't require user password.
|
@xeno6696 This definitely has to be deprecated. If we flat out remove it, it's liable to break existing application code that is using it. So I would recommend (for time being) just adding a new method to the HttpUtilities interface, but replace 'password' with 'username''. (Even if we didn't use 'username', it would be useful for logging.) Since that would have the same '(String, int, String, String)' args, you would have to use a different method name...maybe something like setRememberMeToken(). As far as testing codes, using the mock responses is likely as good as it gets. Personally, I think a lot of unit testing would have been easier had we been using HttpUnit or something similar, but it may have been (at least pre-Maven days) that they didn't want yet another dependency plus any transitive dependencies that it required that were not already being used. (Although with Maven, I don't think that's such a big deal as we could just mark the as 'test'.) |
|
@kwwall I went ahead and pushed a little bit ago. I deprecated the old method and added warnings in the javadocs. I then created the new method as specified here, it does the same thing as before, just without the password var. HttpUnit would be alright, but @jeremiahjstacey actually introduced me to Wiremock, which sets up mini jetty servers during test execution, so the need for Mocked classes is lower. I'm not sure what the test performance is, but we could try it. It should be faster than HTTPUnit. In the meantime, I'm closing this issue. |
|
Oops...obviously I meant '(HttpServletRequest, HttpServletResponse, String, int, String, String)' for the args. Sorry if any confusion. |
|
I knew what you meant. Also, if you weren't aware, you can wrap inline code comments with backticks so that github will mark them as code.
|
|
@xeno6696 We also should only attempt to set this 'remember me' token if the request is being sent over https, and then in such cases, we should set the cookie's 'secure' and 'httpOnly' flags. If the HttpServletRequest not https, then we should through an exception. Together, those things should help prevent cookie from getting hijacked. |
|
Does that work when replied to from GitHub emails too? On Sat, May 21, 2016 at 12:26 PM, Matt Seil [email protected]
Blog: http://off-the-wall-security.blogspot.com/ | Twitter: @KevinWWall |
|
Apparently not. |
|
Unfortunately, no. |
|
Do you want me to update the deprecated logic with that httpOnly attribute as well? (I plan to, until you say otherwise.) |
|
@xeno6696 wrote:
Good question. On one hand, it may be better to leave it more broken than But yes, let's fix it there too. And note it in the javadoc The other issue with doing this--i.e., assuming we want to do so with -kevinBlog: http://off-the-wall-security.blogspot.com/ | Twitter: @KevinWWall |
|
How about this solution: We fix the current version using ESAPI, but then create a new DefaultHttpUtilities class to support servlet 3.0. We could then update ESAPI over the next months and then in the next-next major release (2.3) we switch the default implementations over to use servlet 3.0. We deprecate all the old 2.5 API items and in 2.2 which would force those who upgrade to change the implementing classes back to the old 2.5 esapi versions which would all be deprecated. Side-note: @jeremiahjstacey had some fantastic ideas to get rid of ESAPI's singleton problem without breaking any existing call structures, while also supporting my vision of breaking esapi up into multiple libraries, as opposed to the kind of monolithic lib it is now. |
|
Also @kwwall, the default setting for secure-only cookies in ESAPI.properties is "false" if that makes any difference. |
|
On Sat, May 21, 2016 at 5:13 PM,
Java 6, IMO they are not really serious about security in the first place
-kevin
|
|
@kwwall :
Help me out here... as far as I can tell, we don't call this except for unit tests! |
|
@xeno6696 I little confused what you meant by that last comment 'Help me out here...as far as I can tell, we don't call this except for unit tests!' I'm not exactly sure what method the 'this' is referring to?
And I guess the better question would be, why does this surprise you as it seems to (based on your exclamation point)? If what was confusing you was my comment that you quoted, what I meant is that we should look at the " |
|
I merged this earlier today... not sure why it didn't close. |
From [email protected] on November 26, 2013 13:27:30
The current HttpUtilities.setRememberToken(String password, int maxAge, String domain, String path) interface takes a user's cleartext password. The reference implementation (DefaultHttpUtilities) creates an AES encrypted HTTP cookie that contains the username and password of the user to be remembered. Storing the password using reversible encryption is contrary to the stated corporate security policies of many companies and therefore using this as a technique to provide unattended login access should be discouraged if for no other reason than corporate policy will (or should) prevent this method from seeing widespread use.
Instead, a new replacement interface something like this:
HttpUtilities.setRememberToken(int maxAge, String domain, String path)
should be implemented to take advantage of CryptoToken which does not require a user's password to be made secure.
Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=311
The text was updated successfully, but these errors were encountered: