Changes for page Security

Last modified by Vincent Massol on 2021/07/21
<
From version < 21.3 >
edited by Vincent Massol
on 2017/09/06
To version < 22.1 >
edited by Vincent Massol
on 2017/09/06
>
Change comment: Renamed back-links.

Summary

Details

Page properties
Content
... ... @@ -36,20 +36,20 @@
36 36  
37 37  === Cookie Encryption Keys ===
38 38  
39 -When a user logs in, three cookies are saved on his machine containing the username, password and a "nothing up my sleeve" hash. The cookies are encrypted so that nobody having access to them can see the username/password. This encryption is done using 2 configuration parameters located in the //xwiki.cfg// configuration file. This file is located in //WEB-INF/// in the XWiki WAR (see the [[Installation guide>>platform:AdminGuide.Installation]] for where it's installed).
40 -It's important you edit the //[[xwiki.cfg>>platform:AdminGuide.Configuration#HSamplexwiki.cfg]]// file to modify the cookie authentication and encryption keys as they use default values when you install XWiki and these predefined values could be used by an attacker to decipher the username and password. To prevent this, change the following 2 configuration parameters:
39 +When a user logs in, three cookies are saved on his machine containing the username, password and a "nothing up my sleeve" hash. The cookies are encrypted so that nobody having access to them can see the username/password. This encryption is done using 2 configuration parameters located in the //xwiki.cfg// configuration file. This file is located in //WEB-INF/// in the XWiki WAR (see the [[Installation guide>>Documentation.AdminGuide.Installation]] for where it's installed).
40 +It's important you edit the //[[xwiki.cfg>>Documentation.AdminGuide.Configuration#HSamplexwiki.cfg]]// file to modify the cookie authentication and encryption keys as they use default values when you install XWiki and these predefined values could be used by an attacker to decipher the username and password. To prevent this, change the following 2 configuration parameters:
41 41  
42 42  * //xwiki.authentication.validationKey//
43 43  * //xwiki.authentication.encryptionKey//
44 44  
45 -See the [[Authentication parameters section>>platform:AdminGuide.Authentication#HAuthenticationparameters]] for more details.
45 +See the [[Authentication parameters section>>Documentation.AdminGuide.Authentication.WebHome#HAuthenticationparameters]] for more details.
46 46  
47 47  In future versions we'd like to generate random and host-dependent key pairs at installation time (see the following [[issue>>https://jira.xwiki.org/browse/XWIKI-542]] for details).
48 48  
49 49  === Encrypt cookies using IP address ===
50 50  
51 -Even if the password cannot be extracted from the cookie, the cookies might be stolen (see [[XSS>>platform:AdminGuide.Security#HCrossSiteScripting]]) and used as they are.
52 -By setting the //[[xwiki.cfg>>platform:AdminGuide.Configuration#HSamplexwiki.cfg]]// parameter ##xwiki.authentication.useip## to true you can block the cookies from being used except by the same IP address which got them.
51 +Even if the password cannot be extracted from the cookie, the cookies might be stolen (see [[XSS>>Documentation.AdminGuide.Security#HCrossSiteScripting]]) and used as they are.
52 +By setting the //[[xwiki.cfg>>Documentation.AdminGuide.Configuration#HSamplexwiki.cfg]]// parameter ##xwiki.authentication.useip## to true you can block the cookies from being used except by the same IP address which got them.
53 53  
54 54  == Override version information ==
55 55  

About

About

Support

Platform

User Guide

Admin Guide

Developer Guide

Projects

XWiki

Extensions

Other

Contribute

Status

Practices

Under the Hood

Get Involved

Get Connected