Feature Proposal: Blur auth-Cookie-Name with random string on installation
Motivation
This should protect users from phishing-attacks on Foswiki-cookies. As every Foswiki installation has its own cookie-name, its harder using scripts to read auth-cookies.
Description and Documentation
On installation of Foswiki ( first configure run ) a random string ( hash of the domain or whatever..) is generated. This string is appended to the current Cookie name, e.g. *FOSSID*12gs14h6#1sa
Examples
Impact
Implementation
--
Contributors: EugenMayer - 26 Nov 2008
Discussion
See also:
ConfigurableCookieNamesAndPaths
--
PaulHarvey - 17 Dec 2011
I have no problem with the feature fundamentally, but I'm not sure if it can be sold as a security feature - what kind of attack does this prevent?
--
PaulHarvey - 17 Feb 2012
This is pointless, as far as I can see. The FOSWIKISID cookie is
HttpOnly
so is inaccessible to javascript. Before proceeding I suggest writing a piece of JS that demonstrates the exploit. I am raising a concern, even though this was accepted by the 14 day rule, as I missed it first time round (3 years ago).
--
CrawfordCurrie - 17 Feb 2012
Okay - I'll change this to rejected proposal. I agree that the FOSWIKIKSID cookie seems sufficiently protected as is.
--
GeorgeClark - 17 Feb 2012