Feature Proposal: Blur auth-Cookie-Name with random string on installation

Motivation

This should protect users from phishing-attacks on Foswiki-cookies. As every Foswiki installation has its own cookie-name, its harder using scripts to read auth-cookies.

Description and Documentation

On installation of Foswiki ( first configure run ) a random string ( hash of the domain or whatever..) is generated. This string is appended to the current Cookie name, e.g. *FOSSID*12gs14h6#1sa

Examples

Impact

WhatDoesItAffect:

%WHATDOESITAFFECT%

edit

Implementation

-- Contributors: EugenMayer - 26 Nov 2008

Discussion

See also: ConfigurableCookieNamesAndPaths

-- PaulHarvey - 17 Dec 2011

I have no problem with the feature fundamentally, but I'm not sure if it can be sold as a security feature - what kind of attack does this prevent?

-- PaulHarvey - 17 Feb 2012

This is pointless, as far as I can see. The FOSWIKISID cookie is HttpOnly so is inaccessible to javascript. Before proceeding I suggest writing a piece of JS that demonstrates the exploit. I am raising a concern, even though this was accepted by the 14 day rule, as I missed it first time round (3 years ago).

-- CrawfordCurrie - 17 Feb 2012

Okay - I'll change this to rejected proposal. I agree that the FOSWIKIKSID cookie seems sufficiently protected as is.

-- GeorgeClark - 17 Feb 2012