Skip to main content

ATG - how to prevent Cross-Site attacks using _dynSessConf parameter


Cross-site scripting attacks take advantage of a vulnerability that enables a malicious site to use your browser to submit form requests to another site.

In order to protect forms from cross-site attacks in ATG, you can enable form submissions to automatically supply the request parameter _dynSessConf, which identifies the current session through a randomly generated long number. On submission of a form (using dsp:form tag) or activation of a property setting (using dsp:a tag), the request-handling pipeline ( DAFDropletEventServlet ) validates _dynSessConf  against its session confirmation identifier. If it detects a mismatch or missing number, it can block form processing and return an error.

To disable this functionality, we could give the following properties (@ /atg/dynamo/Configuration to disable it globally)
enforceSessionConfirmation = false -->  specifies whether the request-handling pipeline requires session confirmation in order to process the request; the default value is true.
warnOnSessionConfirmationFailure = false --> specifies whether to issue a warning on a confirmation number mismatch; the default value is true.

You can control session confirmation for individual requests by setting the attribute requiresSessionConfirmation to true or false on the applicable dsp:form or dsp:a tag. If this attribute is set to false, the _dynSessConf parameter is not included in the HTTP request and the request-handling pipeline skips validation of this request’s session confirmation number.
Labels:

Comments

  1. Anonymous15 May 2014 at 00:53

    http://docs.oracle.com/cd/E24152_01/Platform.10-1/ATGBusCommRefGuide/html/s1402sessionexpirationfromlackofusera01.html

    Can we handle 409 conflict using CheckSessionExpiration?
    I tried this. But before reaching request to pipeline,web.xml redirect to url mention there.

    ReplyDelete

Post a Comment

Popular posts from this blog

Income Tax process and e-filing

http://financeminister.in/income_tax_calculator.php https://incometaxindiaefiling.gov.in Below I am listing the step-by-step activities of the Tax Process that a working professional need to do in a given Financial Year. Here FY refers to Financial Year  and  AY refers to Assesment Year. Each month we will pay the Tax (From APRIL 20xx to MARCH 20xx+1) through our Employer for the FY 20xx – 20xx+1. In the month April 20xx, we will give the investment details to the employer (in our employer specified portal) for the FY 20xx – 20xx+1. In the month January 20xx+1, we will give the investment proof details , Rent receipts… to the Employer Finance Department for the FY 20xx – 20xx+1. In the month MAY/JUNE 20xx+1, employer gives the Form 16 for the FY 20xx – 20xx+1 to us (The proof given by the employer to the employee for the tax paid by the employee). In the month July 20xx+1 (on or before July 31st of every year), we will fill the ITR forms (earlier it was NayaSaral f...
2 comments
Read more

Eclipse Kepler - good features of Eclipse 4.3 ( Eclipse Kepler ) JDT / Workbench

Detached windows with sash When you detach a view or editor into its own separate window, it now has all the capabilities of a normal workbench window. They now support multiple stacks of views separated by sashes with arbitrary layouts. The detached parts will remain synchronized with the master window that they were detached from. This is especially handy for people developing with two or more monitors, so they can spread views across several monitors and keep them synchronized. Import nested projects The Import Projects wizard now has an option to continue searching for projects to import recursively within any project it finds. This allows you to import physically nested projects at the same time. Open Resource dialog enhancements The Open Resource (Ctrl+Shift+R) dialog now offers direct access to the Show In and Open With menus via drop-down buttons. On platforms that support mnemonics, the buttons are also accessible via Alt+W and Alt+H. Whole word option...
Post a Comment
Read more

Display date and time for a DATE field @ SqlDeveloper

For date fields, by default SQL Developer will display only the date without time. To set it to display the time as well, do the following: Go to SQL Developer –> Tools >> Preferences. Select Database >> NLS Parameters from the left panel. From the list of NLS parameters, enter DD-MON-RR HH24:MI:SS into the Date Format field. Save and close
Post a Comment
Read more

ATG User Profile schema ER diagram

Check out the Product Catalog  schema ER-Diagram @  http://tips4ufromsony.blogspot.in/2012/01/atg-product-catalog-schema-er-diagram.html Check out the O rder schema ER-Diagram @   http://tips4ufromsony.blogspot.in/2012/02/atg-order-schema-er-diagram.html If you would like to know the relationship between different User Profile schema tables, please find below screen shot of  Profile schema ER Diagrams.  
Post a Comment
Read more

Basic design decisions for a commerce search setup ( with an ATG Search view)

In this blog I would like to explain the basic set of configuration/design decisions needed to setup an ATG search project. Most of these design decisions are common for all Enterprise search applications. 1. Decide the searchable properties :   This means the properties that the business want the user to search in the ecommerce platform. In ATG search these are configured as the text properties in the product-catalog-output-config.xml ( the definitionFile of the \atg\commerce\search\ProductCatalogOutputConfig). Usually the displayName of product/sku, displayName of department/category/sub-category, skuId, brandName are the properties configured as searchable. 2. Decide the search refinement properties or the faceted properties :   After a user search for a keyword, search refinement is the next step done to filter his results. ATG supports the search refinement using the Faceted Search concept. Read more about facted search @...
6 comments
Read more