search

ArcBees / GWTP

A complete model-view-presenter framework to simplify your next GWT project.
Other
335 stars 132 forks source link

make CSRF cookie secure #485

Open bradcupit opened 10 years ago

bradcupit commented 10 years ago

See original discussion on the GWTP mailing list.

GWTP's CSRF protection sets a cookie whose value is either the JSESSIONID (see HttpSessionSecurityCookieFilter) or a random number (see RandomSecurityCookieFilter).

This works since attackers can't see cookies in CSRF attacks. However, if the attacker can sniff requests then they can see the cookie value, so it would be nice to mark the cookie secure to prevent sniffing.

Right now there's no easy way to mark either HttpSessionSecurityCookieFilter or RandomSecurityCookieFilter's cookies secure. Two different ideas:

  1. make this configurable via Guice/Spring, or
  2. quick and dirty: detect if the request is secure and if so, make the cookie secure:
if (request.isSecure()) {
  cookie.setSecure(true);
}
christiangoudreau commented 10 years ago

Sorry for the late acknowledgement, seems fair and useful!