Version 1.1 by vmassol on 2006/12/17


Cookie Encryption Keys

When a user chooses to be remembered when he logs in, a cookie is saved on his machine. The cookie is encrypted so that nobody having access to it can see the username/password. This encryption is done using 2 configuration parameters located in the xwiki.cfg configuration file. This file is located in WEB-INF/ in the XWiki WAR (see the Installation for where it's installed).

It's important you edit the xwiki.cfg file to modify the cookie authentication and encryption keys as they use default values when you install XWiki and these predefined values could be used by an attacker to decode the username/password. To prevent this change the following 2 configuration parameters:

  • xwiki.authentication.validationKey
  • xwiki.authentication.encryptionKey

In future versions we'd like to generate random and host-dependent key pairs at installation time (see the following issue for details).


Get Connected