Change comment:
Updated the relative links.
Summary
-
Page properties (1 modified, 0 added, 0 removed)
Details
- Page properties
-
- Content
-
... ... @@ -36,20 +36,20 @@ 36 36 37 37 === Cookie Encryption Keys === 38 38 39 -When a user logs in, three cookies are saved on his machine containing the username, password and a "nothing up my sleeve" hash. The cookies are encrypted so that nobody having access to them can see the username/password. This encryption is done using 2 configuration parameters located in the //xwiki.cfg// configuration file. This file is located in //WEB-INF/// in the XWiki WAR (see the [[Installation guide>>AdminGuide.Installation]] for where it's installed). 40 -It's important you edit the //[[xwiki.cfg>>AdminGuide.Configuration#HSamplexwiki.cfg]]// file to modify the cookie authentication and encryption keys as they use default values when you install XWiki and these predefined values could be used by an attacker to decipher the username and password. To prevent this, change the following 2 configuration parameters: 39 +When a user logs in, three cookies are saved on his machine containing the username, password and a "nothing up my sleeve" hash. The cookies are encrypted so that nobody having access to them can see the username/password. This encryption is done using 2 configuration parameters located in the //xwiki.cfg// configuration file. This file is located in //WEB-INF/// in the XWiki WAR (see the [[Installation guide>>platform:AdminGuide.Installation]] for where it's installed). 40 +It's important you edit the //[[xwiki.cfg>>platform:AdminGuide.Configuration#HSamplexwiki.cfg]]// file to modify the cookie authentication and encryption keys as they use default values when you install XWiki and these predefined values could be used by an attacker to decipher the username and password. To prevent this, change the following 2 configuration parameters: 41 41 42 42 * //xwiki.authentication.validationKey// 43 43 * //xwiki.authentication.encryptionKey// 44 44 45 -See the [[Authentication parameters section>>AdminGuide.Authentication#HAuthenticationparameters]] for more details. 45 +See the [[Authentication parameters section>>platform:AdminGuide.Authentication#HAuthenticationparameters]] for more details. 46 46 47 47 In future versions we'd like to generate random and host-dependent key pairs at installation time (see the following [[issue>>https://jira.xwiki.org/browse/XWIKI-542]] for details). 48 48 49 49 === Encrypt cookies using IP address === 50 50 51 -Even if the password cannot be extracted from the cookie, the cookies might be stolen (see [[XSS>>#HCrossSiteScripting]]) and used as they are. 52 -By setting the //[[xwiki.cfg>>AdminGuide.Configuration#HSamplexwiki.cfg]]// parameter ##xwiki.authentication.useip## to true you can block the cookies from being used except by the same IP address which got them. 51 +Even if the password cannot be extracted from the cookie, the cookies might be stolen (see [[XSS>>platform:AdminGuide.Security#HCrossSiteScripting]]) and used as they are. 52 +By setting the //[[xwiki.cfg>>platform:AdminGuide.Configuration#HSamplexwiki.cfg]]// parameter ##xwiki.authentication.useip## to true you can block the cookies from being used except by the same IP address which got them. 53 53 54 54 == Override version information == 55 55 ... ... @@ -153,7 +153,7 @@ 153 153 154 154 * Avoid "Privileged API" whenever possible and only use non API when absolutely necessary. If each of your calls requires you to pass the context as a parameter, you're doing it wrong. 155 155 156 -For more information check the [[XWiki API Reference>>DevGuide.API]]. 156 +For more information check the [[XWiki API Reference>>platform:DevGuide.API]]. 157 157 158 158 == Cross Site Scripting == 159 159
