search

google-code-export / gwt-platform

Automatically exported from code.google.com/p/gwt-platform
1 stars 0 forks source link

XSRF with security cookie binded to JSESSIONID #429

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?

1. Bind security cookie to JSESSIONID:          
bindConstant().annotatedWith(SecurityCookie.class).to("JSESSIONID");

2. Launch application on glassfish.

3. Launch glassfish admin console in another tab.

What is the expected output? What do you see instead?

Get message "Cookie provided by RPC doesn't match request cookie, aborting 
action, possible XSRF attack. (Maybe you forgot to set the security cookie?) " 
in logs. Application is not working.

What version of the product are you using? On what operating system?

0.7

Please provide any additional information below.

When two tabs are opened(application and admin console) we have two cookies 
named JSESSIONID. GWTP checks the first cookie which is from admin console and 
we get this error.

Original issue reported on code.google.com by andrey.d...@gmail.com on 23 Jul 2012 at 7:51

GoogleCodeExporter commented 9 years ago 
Additional information

1. Two cookies are set because first is for path "/myapplication" and 
second(admin's) for path "/".

2. There is a possible solution to change code fragment.
The problem is in com.gwtplatform.dispatch.server.AbstractDispatchServiceImpl 
class, in function cookieMatch. 

/* fragment start  */

// Try to match session tokens to prevent XSRF
Cookie[] cookies = request.getCookies();
String cookieInRequest = null;
if (cookies != null) {
  for (Cookie cookie : cookies) {
    if (cookie.getName().equals(getSecurityCookieName())) {
      cookieInRequest = cookie.getValue();
      break;
    }
  }
}

if (cookieInRequest == null) {
  logger.info("Cookie \"" + getSecurityCookieName() + "\" not found in HttpServletRequest!");
  return false;
}

return cookieInRequest.equals(cookieSentByRPC);

/* fragment end */

COULD BE CHANGED ON

/* fragment start  */

// Try to match session tokens to prevent XSRF
Cookie[] cookies = request.getCookies();
boolean found = false;
boolean matches = false;
if (cookies != null) {
  for (Cookie cookie : cookies) {
    if (cookie.getName().equals(getSecurityCookieName())) {
      found = true;
      if (cookie.getValue().equals(cookieSentByRPC)) {
        matches = true;
        break;
      }
    }
  }
}

if (!found) {
  logger.info("Cookie \"" + getSecurityCookieName() + "\" not found in   HttpServletRequest!");
  return false;
}

return matches;

/* fragment end */

Original comment by andrey.d...@gmail.com on 23 Jul 2012 at 8:56

GoogleCodeExporter commented 9 years ago 
I'm not sure about the action we will take on this one as we should migrate to 
the GWT XSRF mechanism:

https://developers.google.com/web-toolkit/doc/latest/DevGuideSecurityRpcXsrf

Original comment by goudreau...@gmail.com on 27 Nov 2012 at 3:04