[
https://issues.apache.org/jira/browse/CMIS-939?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14708954#comment-14708954
]
Donald Kwakkel commented on CMIS-939:
-------------------------------------
Just found out it is a transaction and not authentication cookie, so closing
this ticket.
> Cookie Security: Persistent Cookie is used
> ------------------------------------------
>
> Key: CMIS-939
> URL: https://issues.apache.org/jira/browse/CMIS-939
> Project: Chemistry
> Issue Type: Bug
> Components: opencmis-client
> Affects Versions: OpenCMIS 0.13.0
> Reporter: Donald Kwakkel
>
> Storing sensitive data in a persistent cookie can lead to a breach of
> confidentiality or account compromise.
> Explanation:
> Most Web programming environments default to creating non-persistent cookies.
> These cookies reside only in browser memory (they are not written to disk)
> and are lost when the browser is closed. Programmers can specify that cookies
> be persisted across browser sessions until some future date. Such cookies are
> written to disk and survive across browser sessions and computer restarts.
> If private information is stored in persistent cookies, attackers have a
> larger time window in which to steal this data - especially since persistent
> cookies are often set to expire in the distant future. Persistent cookies are
> often used to profile users as they interact with a site. Depending on what
> is done with this tracking data, it is possible to use persistent cookies to
> violate users' privacy.
> In this case setMaxAge() is called in AbstractBrowserServiceCall.java at line
> 216 with a non-zero parameter. This max age is also not configurable/possible
> to disable.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
