Hello All,
I notice that ofbiz stores the username inside a browser cookie. I would like to get some comments as to whether this is a potential security risk? eg... JSESSIONID=E4CADD25A32162D92C31DC938C108DFE.jvm1; OFBiz.Visitor=10025; mystuff.autoUserLoginId=admin Thanks |
since the browser is allowed to store both the log in and password, I
don't see the problem unless someone is using a public computer. Wai sent the following on 7/31/2010 9:50 AM: > > Hello All, > > I notice that ofbiz stores the username inside a browser cookie. I would > like to get some comments as to whether this is a potential security risk? > eg... > > JSESSIONID=E4CADD25A32162D92C31DC938C108DFE.jvm1; OFBiz.Visitor=10025; > mystuff.autoUserLoginId=admin > > Thanks |
In reply to this post by Wai
Aren't all cookies a security risk?
-Adrian --- On Sat, 7/31/10, Wai <[hidden email]> wrote: > From: Wai <[hidden email]> > Subject: username stored in browser cookie? > To: [hidden email] > Date: Saturday, July 31, 2010, 9:50 AM > > Hello All, > > I notice that ofbiz stores the username inside a browser > cookie. I would > like to get some comments as to whether this is a potential > security risk? > eg... > > JSESSIONID=E4CADD25A32162D92C31DC938C108DFE.jvm1; > OFBiz.Visitor=10025; > mystuff.autoUserLoginId=admin > > Thanks > -- > View this message in context: http://ofbiz.135035.n4.nabble.com/username-stored-in-browser-cookie-tp2308984p2308984.html > Sent from the OFBiz - User mailing list archive at > Nabble.com. > |
Not necessarily. I depends on what kind of information is stored in the cookie.
I just think that storing a username in the cookie constitutes a security risk as that is 50% of the authentication process. |
In reply to this post by BJ Freeman
BJ,
does ofbiz actually store the password in the cookie? Because a cookie is really a text file, anybody who has access to a browser cache would be able to see it. A regular person can see the contents of a cookie just by typing in "javascript:document.cookie" in the address of the browser. From your previous posting, I take it that ofbiz should be run in an intranet environment. But that would not quite work for people using ofbiz ecommerce app. Since the ecommerce app stores the username in the cookie as well. Wai |
I don't know what BJ meant, but the idea of storing a password in a cookie is ridiculous, and I'm absolutely sure that OFBiz does not do that. Some software may, but OFBiz couldn't even do that because the only password it has access to is a one-way encrypted (or hashed) version of the password. Storing a username in a cookie is an unfortunate but common practice. If you use the web much, just take a look at your current cookies and you'll see. Here are some sites that I can see have my username stored in a cookie: 1. paypal.com 2. apple.com 3. skype.com All of these sites keep financial information (credit card, etc), and do ecommerce in some form or other. A couple of points about this though: 1. the cookie you referenced was the visitor ID, which is NOT the username, or a party ID or anything, just an ID that may be linked to multiple accounts and is used to track a visitor (really a specific browser on a specific client machine) 2. usernames names are not commonly considered secret, and I'm not sure where you got that idea; it is common for usernames to be shown on non-encrypted web pages, and to be sent in plain text in emails too; even in communication like encrypted emails the email address (often used as a username) is sent in plain text -David On Jul 31, 2010, at 12:35 PM, Wai wrote: > > BJ, > does ofbiz actually store the password in the cookie? Because a cookie is > really a text file, anybody who has access to a browser cache would be able > to see it. > A regular person can see the contents of a cookie just by typing in > "javascript:document.cookie" in the address of the browser. > > From your previous posting, I take it that ofbiz should be run in an > intranet environment. But that would not quite work for people using ofbiz > ecommerce app. Since the ecommerce app stores the username in the cookie as > well. > Wai > -- > View this message in context: http://ofbiz.135035.n4.nabble.com/username-stored-in-browser-cookie-tp2308984p2309026.html > Sent from the OFBiz - User mailing list archive at Nabble.com. |
David,
Thanks for the clarification. I suspected that BJ was joking about the password. I was running ecommerce app with the username 'ecomUser1'. Looking at the browser cookie, the username is indeed stored in the cookie for ecommerice.autoUserLoginId JSESSIONID=6CE1F96832E46AEECF2F537D8CA6419B.jvm1; OFBiz.Visitor=10041; ecommerce.autoUserLoginId=ecomUser1 Even after logout, the username still persists. eg. OFBiz.Visitor=10041; ecommerce.autoUserLoginId=ecomUser1 What this implies is that, on a public computer, the next person would be able to find out the username of the last person that used the ofbiz ecommerce app. Just as an aside, my paypal account cookie does not contain the username. Here is a sample. As you can see, there is username/email address in the cookie. s_sess=%20s_cc%3Dtrue%3B%20s_refresh%3DMy%2720Account%2570Overview%3B%20s_sq%3D%3B Likewise with skype, there is no personally identifiable info: __utma=184135460.640743321.1280604163.1280607163.1280704163.1; __utmb=184135760.1.10.1280704163; __utmc=184137460; __utmz=184175460.1280604163.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_cc=true; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|262A3C72051D3AF6-40000731C035DA5D[CE]; SC=CC=:CCY=CAD:LC=en-us:LIM=:TM=1280704288:TS=1280704264:TZ=-04%7C00:VAT=:VER=; mbox=check#true#1280607257|session#1280704173508-139822#1280706057|PC#1280607173508-137822.17#1283176197 Nevertheless, I was always under the impression that when an application authenticates a user, only a token is stored in the browser cookie to identify the user. This token is usually the session id. Thanks |
On Jul 31, 2010, at 1:32 PM, Wai wrote: > > David, > Thanks for the clarification. I suspected that BJ was joking about the > password. > > I was running ecommerce app with the username 'ecomUser1'. Looking at the > browser cookie, the username is indeed stored in the cookie for > ecommerice.autoUserLoginId > > JSESSIONID=6CE1F96832E46AEECF2F537D8CA6419B.jvm1; OFBiz.Visitor=10041; > ecommerce.autoUserLoginId=ecomUser1 > > Even after logout, the username still persists. eg. > > OFBiz.Visitor=10041; ecommerce.autoUserLoginId=ecomUser1 > > What this implies is that, on a public computer, the next person would be > able to find out the username of the last person that used the ofbiz > ecommerce app. > > Just as an aside, my paypal account cookie does not contain the username. > Here is a sample. As you can see, there is username/email address in the > cookie. > > s_sess=%20s_cc%3Dtrue%3B%20s_refresh%3DMy%2720Account%2570Overview%3B%20s_sq%3D%3B > > Likewise with skype, there is no personally identifiable info: > > __utma=184135460.640743321.1280604163.1280607163.1280704163.1; > __utmb=184135760.1.10.1280704163; __utmc=184137460; > __utmz=184175460.1280604163.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); > s_cc=true; s_sq=%5B%5BB%5D%5D; > s_vi=[CS]v1|262A3C72051D3AF6-40000731C035DA5D[CE]; > SC=CC=:CCY=CAD:LC=en-us:LIM=:TM=1280704288:TS=1280704264:TZ=-04%7C00:VAT=:VER=; > mbox=check#true#1280607257|session#1280704173508-139822#1280706057|PC#1280607173508-137822.17#1283176197 > > Nevertheless, I was always under the impression that when an application > authenticates a user, only a token is stored in the browser cookie to > identify the user. This token is usually the session id. > > Thanks Session cookies are totally different and separate from the very common username cookies. Keep studying. -David |
--- On Sat, 7/31/10, David E Jones <[hidden email]> wrote:
> On Jul 31, 2010, at 1:32 PM, Wai wrote: > > > > > David, > > Thanks for the clarification. I suspected that > BJ was joking about the > > password. > > > > I was running ecommerce app with the username > 'ecomUser1'. Looking at the > > browser cookie, the username is indeed stored in the > cookie for > > ecommerice.autoUserLoginId > > > > JSESSIONID=6CE1F96832E46AEECF2F537D8CA6419B.jvm1; > OFBiz.Visitor=10041; > > ecommerce.autoUserLoginId=ecomUser1 > > > > Even after logout, the username still persists. > eg. > > > > OFBiz.Visitor=10041; > ecommerce.autoUserLoginId=ecomUser1 > > > > What this implies is that, on a public computer, the > next person would be > > able to find out the username of the last person that > used the ofbiz > > ecommerce app. > > > > Just as an aside, my paypal account cookie does not > contain the username. > > Here is a sample. As you can see, there is > username/email address in the > > cookie. > > > > > s_sess=%20s_cc%3Dtrue%3B%20s_refresh%3DMy%2720Account%2570Overview%3B%20s_sq%3D%3B > > > > Likewise with skype, there is no personally > identifiable info: > > > > > __utma=184135460.640743321.1280604163.1280607163.1280704163.1; > > __utmb=184135760.1.10.1280704163; __utmc=184137460; > > > __utmz=184175460.1280604163.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); > > s_cc=true; s_sq=%5B%5BB%5D%5D; > > s_vi=[CS]v1|262A3C72051D3AF6-40000731C035DA5D[CE]; > > > SC=CC=:CCY=CAD:LC=en-us:LIM=:TM=1280704288:TS=1280704264:TZ=-04%7C00:VAT=:VER=; > > > mbox=check#true#1280607257|session#1280704173508-139822#1280706057|PC#1280607173508-137822.17#1283176197 > > > > Nevertheless, I was always under the impression that > when an application > > authenticates a user, only a token is stored in the > browser cookie to > > identify the user. This token is usually the > session id. > > > > Thanks > > Session cookies are totally different and separate from the > very common username cookies. Keep studying. Also keep in mind that storing the session ID in a cookie is a security risk too - that session ID can be hijacked or reused by another user. Hence my initial question. Cookies are a security threat. That's why modern browsers give you the options of disabling them or removing them when the browser closes. -Adrian |
Adrian Crum wrote:
>>> Thanks >>> >> Session cookies are totally different and separate from the >> very common username cookies. Keep studying. >> > > Also keep in mind that storing the session ID in a cookie is a security risk too - that session ID can be hijacked or reused by another user. > yes, but what is the alternative? Cheers Michael > Hence my initial question. Cookies are a security threat. That's why modern browsers give you the options of disabling them or removing them when the browser closes. > > -Adrian > > > > > |
In reply to this post by Adrian Crum-2
On Jul 31, 2010, at 1:48 PM, Adrian Crum wrote: > --- On Sat, 7/31/10, David E Jones <[hidden email]> wrote: >> On Jul 31, 2010, at 1:32 PM, Wai wrote: >> >>> >>> David, >>> Thanks for the clarification. I suspected that >> BJ was joking about the >>> password. >>> >>> I was running ecommerce app with the username >> 'ecomUser1'. Looking at the >>> browser cookie, the username is indeed stored in the >> cookie for >>> ecommerice.autoUserLoginId >>> >>> JSESSIONID=6CE1F96832E46AEECF2F537D8CA6419B.jvm1; >> OFBiz.Visitor=10041; >>> ecommerce.autoUserLoginId=ecomUser1 >>> >>> Even after logout, the username still persists. >> eg. >>> >>> OFBiz.Visitor=10041; >> ecommerce.autoUserLoginId=ecomUser1 >>> >>> What this implies is that, on a public computer, the >> next person would be >>> able to find out the username of the last person that >> used the ofbiz >>> ecommerce app. >>> >>> Just as an aside, my paypal account cookie does not >> contain the username. >>> Here is a sample. As you can see, there is >> username/email address in the >>> cookie. >>> >>> >> s_sess=%20s_cc%3Dtrue%3B%20s_refresh%3DMy%2720Account%2570Overview%3B%20s_sq%3D%3B >>> >>> Likewise with skype, there is no personally >> identifiable info: >>> >>> >> __utma=184135460.640743321.1280604163.1280607163.1280704163.1; >>> __utmb=184135760.1.10.1280704163; __utmc=184137460; >>> >> __utmz=184175460.1280604163.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); >>> s_cc=true; s_sq=%5B%5BB%5D%5D; >>> s_vi=[CS]v1|262A3C72051D3AF6-40000731C035DA5D[CE]; >>> >> SC=CC=:CCY=CAD:LC=en-us:LIM=:TM=1280704288:TS=1280704264:TZ=-04%7C00:VAT=:VER=; >>> >> mbox=check#true#1280607257|session#1280704173508-139822#1280706057|PC#1280607173508-137822.17#1283176197 >>> >>> Nevertheless, I was always under the impression that >> when an application >>> authenticates a user, only a token is stored in the >> browser cookie to >>> identify the user. This token is usually the >> session id. >>> >>> Thanks >> >> Session cookies are totally different and separate from the >> very common username cookies. Keep studying. > > Also keep in mind that storing the session ID in a cookie is a security risk too - that session ID can be hijacked or reused by another user. > > Hence my initial question. Cookies are a security threat. That's why modern browsers give you the options of disabling them or removing them when the browser closes. Actually, when you are using HTTPS cookies are not generally used for session ID since HTTPS has session tracking built in, so it's not needed. Generally an HTTPS session is fairly hard to hijack (or at least harder than sniffing a cookie in plain text over the wire). In plain HTTP not much is secure, but in HTTPS it is pretty good, including the session tracking. -David |
In reply to this post by Michael Wechner
As far as OFBiz is concerned, as long as you use it as intended there is little to worry about - cookie security issues have been addressed. If a user is still concerned about them, they can be directed here:
http://www.us-cert.gov/reading_room/securing_browser/browser_security.html -Adrian --- On Sat, 7/31/10, Michael Wechner <[hidden email]> wrote: > From: Michael Wechner <[hidden email]> > Subject: Re: username stored in browser cookie? > To: [hidden email] > Date: Saturday, July 31, 2010, 1:00 PM > Adrian Crum wrote: > >>> Thanks > >>> > >> Session cookies are totally different and separate > from the > >> very common username cookies. Keep studying. > >> > > > > Also keep in mind that storing the session ID in a > cookie is a security risk too - that session ID can be > hijacked or reused by another user. > > > > yes, but what is the alternative? > > Cheers > > Michael > > > Hence my initial question. Cookies are a security > threat. That's why modern browsers give you the options of > disabling them or removing them when the browser closes. > > > > -Adrian > > > > > > > > > > > > |
In reply to this post by Wai
clarification
I said the browser does when you login to a site the browser ask if you want to store the login (userid and password). this has nothing to-do with ofbiz. Wai sent the following on 7/31/2010 11:35 AM: > > BJ, > does ofbiz actually store the password in the cookie? Because a cookie is > really a text file, anybody who has access to a browser cache would be able > to see it. > A regular person can see the contents of a cookie just by typing in > "javascript:document.cookie" in the address of the browser. > >> From your previous posting, I take it that ofbiz should be run in an > intranet environment. But that would not quite work for people using ofbiz > ecommerce app. Since the ecommerce app stores the username in the cookie as > well. > Wai |
Administrator
|
In reply to this post by Adrian Crum-2
From: "Adrian Crum" <[hidden email]>
> --- On Sat, 7/31/10, David E Jones <[hidden email]> wrote: >> On Jul 31, 2010, at 1:32 PM, Wai wrote: >> >> > >> > David, >> > Thanks for the clarification. I suspected that >> BJ was joking about the >> > password. >> > >> > I was running ecommerce app with the username >> 'ecomUser1'. Looking at the >> > browser cookie, the username is indeed stored in the >> cookie for >> > ecommerice.autoUserLoginId >> > >> > JSESSIONID=6CE1F96832E46AEECF2F537D8CA6419B.jvm1; >> OFBiz.Visitor=10041; >> > ecommerce.autoUserLoginId=ecomUser1 >> > >> > Even after logout, the username still persists. >> eg. >> > >> > OFBiz.Visitor=10041; >> ecommerce.autoUserLoginId=ecomUser1 >> > >> > What this implies is that, on a public computer, the >> next person would be >> > able to find out the username of the last person that >> used the ofbiz >> > ecommerce app. >> > >> > Just as an aside, my paypal account cookie does not >> contain the username. >> > Here is a sample. As you can see, there is >> username/email address in the >> > cookie. >> > >> > >> s_sess=%20s_cc%3Dtrue%3B%20s_refresh%3DMy%2720Account%2570Overview%3B%20s_sq%3D%3B >> > >> > Likewise with skype, there is no personally >> identifiable info: >> > >> > >> __utma=184135460.640743321.1280604163.1280607163.1280704163.1; >> > __utmb=184135760.1.10.1280704163; __utmc=184137460; >> > >> __utmz=184175460.1280604163.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); >> > s_cc=true; s_sq=%5B%5BB%5D%5D; >> > s_vi=[CS]v1|262A3C72051D3AF6-40000731C035DA5D[CE]; >> > >> SC=CC=:CCY=CAD:LC=en-us:LIM=:TM=1280704288:TS=1280704264:TZ=-04%7C00:VAT=:VER=; >> > >> mbox=check#true#1280607257|session#1280704173508-139822#1280706057|PC#1280607173508-137822.17#1283176197 >> > >> > Nevertheless, I was always under the impression that >> when an application >> > authenticates a user, only a token is stored in the >> browser cookie to >> > identify the user. This token is usually the >> session id. >> > >> > Thanks >> >> Session cookies are totally different and separate from the >> very common username cookies. Keep studying. > > Also keep in mind that storing the session ID in a cookie is a security risk too - that session ID can be hijacked or reused by > another user. > > Hence my initial question. Cookies are a security threat. That's why modern browsers give you the options of disabling them or > removing them when the browser closes. > > -Adrian Also there is this type of cookies : http://en.wikipedia.org/wiki/Local_Shared_Object I use BetterPrivacy on FF Jacques |
In reply to this post by BJ Freeman
Yes, that's clear BJ, and you're right. Many browsers have "password manager" sorts of things that allow the user to locally save passwords in a usually encrypted store of some sort, and that is very different from a cookie and not anything the server can control. -David On Jul 31, 2010, at 2:22 PM, BJ Freeman wrote: > clarification > I said the browser does > when you login to a site the browser ask if you want to store the login (userid and password). > this has nothing to-do with ofbiz. > > Wai sent the following on 7/31/2010 11:35 AM: >> >> BJ, >> does ofbiz actually store the password in the cookie? Because a cookie is >> really a text file, anybody who has access to a browser cache would be able >> to see it. >> A regular person can see the contents of a cookie just by typing in >> "javascript:document.cookie" in the address of the browser. >> >>> From your previous posting, I take it that ofbiz should be run in an >> intranet environment. But that would not quite work for people using ofbiz >> ecommerce app. Since the ecommerce app stores the username in the cookie as >> well. >> Wai |
Free forum by Nabble | Edit this page |