Feature Proposal: Blur auth-Cookie-Name with random string on installation


This should protect users from phishing-attacks on Foswiki-cookies. As every Foswiki installation has its own cookie-name, its harder using scripts to read auth-cookies.

Description and Documentation

On installation of Foswiki ( first configure run ) a random string ( hash of the domain or whatever..) is generated. This string is appended to the current Cookie name, e.g. *FOSSID*12gs14h6#1sa





-- Contributors: EugenMayer - 26 Nov 2008


See also: ConfigurableCookieNamesAndPaths

-- PaulHarvey - 17 Dec 2011

I have no problem with the feature fundamentally, but I'm not sure if it can be sold as a security feature - what kind of attack does this prevent?

-- PaulHarvey - 17 Feb 2012

This is pointless, as far as I can see. The FOSWIKISID cookie is HttpOnly so is inaccessible to javascript. Before proceeding I suggest writing a piece of JS that demonstrates the exploit. I am raising a concern, even though this was accepted by the 14 day rule, as I missed it first time round (3 years ago).

-- CrawfordCurrie - 17 Feb 2012

Okay - I'll change this to rejected proposal. I agree that the FOSWIKIKSID cookie seems sufficiently protected as is.

-- GeorgeClark - 17 Feb 2012
Topic revision: r7 - 17 Feb 2012, GeorgeClark
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy