Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Invalid
-
OpenCMIS 0.13.0
-
None
-
None
Description
Storing sensitive data in a persistent cookie can lead to a breach of confidentiality or account compromise.
Explanation:
Most Web programming environments default to creating non-persistent cookies. These cookies reside only in browser memory (they are not written to disk) and are lost when the browser is closed. Programmers can specify that cookies be persisted across browser sessions until some future date. Such cookies are written to disk and survive across browser sessions and computer restarts.
If private information is stored in persistent cookies, attackers have a larger time window in which to steal this data - especially since persistent cookies are often set to expire in the distant future. Persistent cookies are often used to profile users as they interact with a site. Depending on what is done with this tracking data, it is possible to use persistent cookies to violate users' privacy.
In this case setMaxAge() is called in AbstractBrowserServiceCall.java at line 216 with a non-zero parameter. This max age is also not configurable/possible to disable.