This repository has been archived by the owner on Mar 20, 2021. It is now read-only.
Client Window feature leaks session id in URLs #4189
Comments
|
Reported by frederickkaempfer |
|
This issue was imported from java.net JIRA JAVASERVERFACES-4185 |
|
Please see this important message regarding community contributions to https://javaee.groups.io/g/jsf-spec/message/30 Also, please consider joining that group, as that group has taken the Thanks, Ed Burns |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
With Mojarra the client window identifier is passed along by the jfwid URL parameter between request. Currently the parameter has the format :.
Including the session id in full form in the URL should be avoided to prevent hijacking of the session when URLs are copied/pasted.
A fix could be to either identify the window only by its ID or replace the session id in the URL by a hash of the session id (if the session id still needs to be validated).
This is not a large security issue since it only happens when URLs are somehow copy and pasted and sent to a malicious 3rd party, but ideally it should be avoided.
Environment
2.2
The text was updated successfully, but these errors were encountered: