Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-33816

Need enhancements to session.enable.phishing.protection to support SSL to non-SSL switching

    Details

    • Type: Feature Request
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Labels:
      None

      Description

      The problem, as seen from LPP-6367:

      session.enable.phishing.protection=false => session ID in step 2 is transmitted over HTTP and can be accessed by a MITM. In step 4 the sessionID is authenticated - no new session is created => attacker can now use it

      My Question to Tomas:

      Would setting the following:
      session.enable.phishing.protection=true
      protect the sessionID ?

      Tomas' response:

      session.enable.phishing.protection: it seems it's used only for login form authentication. That means the session is refreshed only during the form login. But AutoLoginFilter doesn't use the property, that means all SSO authentications we have are vulnerable. => No, it won't protect sessionId

      Thus, we need enhancements to session.enable.phishing.protection to support this.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              support-lep@liferay.com SE Support
              Reporter:
              james.lefeu James Lefeu (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:

                  Packages

                  Version Package