Skip to main content

ATG - how to prevent Cross-Site attacks using _dynSessConf parameter


Cross-site scripting attacks take advantage of a vulnerability that enables a malicious site to use your browser to submit form requests to another site.

In order to protect forms from cross-site attacks in ATG, you can enable form submissions to automatically supply the request parameter _dynSessConf, which identifies the current session through a randomly generated long number. On submission of a form (using dsp:form tag) or activation of a property setting (using dsp:a tag), the request-handling pipeline ( DAFDropletEventServlet ) validates _dynSessConf  against its session confirmation identifier. If it detects a mismatch or missing number, it can block form processing and return an error.

To disable this functionality, we could give the following properties (@ /atg/dynamo/Configuration to disable it globally)
enforceSessionConfirmation = false -->  specifies whether the request-handling pipeline requires session confirmation in order to process the request; the default value is true.
warnOnSessionConfirmationFailure = false --> specifies whether to issue a warning on a confirmation number mismatch; the default value is true.

You can control session confirmation for individual requests by setting the attribute requiresSessionConfirmation to true or false on the applicable dsp:form or dsp:a tag. If this attribute is set to false, the _dynSessConf parameter is not included in the HTTP request and the request-handling pipeline skips validation of this request’s session confirmation number.
Labels:

Comments

  1. Anonymous15 May 2014 at 00:53

    http://docs.oracle.com/cd/E24152_01/Platform.10-1/ATGBusCommRefGuide/html/s1402sessionexpirationfromlackofusera01.html

    Can we handle 409 conflict using CheckSessionExpiration?
    I tried this. But before reaching request to pipeline,web.xml redirect to url mention there.

    ReplyDelete

Post a Comment

Popular posts from this blog

Intimation u/s 143(1) of the Income Tax act

Have you got your Income Tax filing e-receipt ? After a successful assessment of tax returns, income tax department issues Intimation u/s 143(1). Normally these intimations will be received through email to the Email address provided when filing income tax returns online. If “NET AMOUNT REFUNDABLE /NET AMOUNT DEMAND”  is less than Rs 100, you can treat this Intimation u/s 143(1) as completion of income tax returns assessment under Income Tax Act. It can be useful for the proof of Income/ Completion of income tax returns assessment. In case of demand , we need to pay the entire Demand within 30 days of receipt of this intimation.The payment can be made using the printed challan enclosed in the mail or you can go for online tax payment. The Tax Payment challan is enclosed if the Tax Payable exceeds Rs. 100. If you go for online tax payment, follow the instructions listed @   http://tips4ufromsony.blogspot.com/2011/03/online-income-tax-payment-using.html  a...
2 comments
Read more

SOAP UI faster start up

If you feel like your SOAP UI is starting up very slowly, check whether this is due to any start up web page call. You can check this @ Preferences - UI Settings - Show Startup Page ==> Here you can deselect this option to improve the start-up time.
Post a Comment
Read more

ATG User Profile schema ER diagram

Check out the Product Catalog  schema ER-Diagram @  http://tips4ufromsony.blogspot.in/2012/01/atg-product-catalog-schema-er-diagram.html Check out the O rder schema ER-Diagram @   http://tips4ufromsony.blogspot.in/2012/02/atg-order-schema-er-diagram.html If you would like to know the relationship between different User Profile schema tables, please find below screen shot of  Profile schema ER Diagrams.  
Post a Comment
Read more

How the ATG Order flow manages a transaction

See more about ATG  Tx management @ http://tips4ufromsony.blogspot.com/2012/05/atg-how-to-use-transaction-manager.html Most of the ATG Commerce form handlers extend atg.commerce.order.purchase.PurchaseProcessFormHandler. The transaction management pattern in order flow is implemented through this form handler’s beforeSet, afterSet, and handler methods. The transaction will be started @ beforeSet method and is ended @ afterSet method. In general, the design pattern for updating an order is as follows: Acquire lock-manager write lock on profile id from the /atg/commerce/order/LocalLockManager Begin Transaction Synchronize on the Order object. Modify Order Call ((OrderImpl) pOrder).updateVersion(); --> atg.commerce.order.InvalidVersionException is thrown based on this Call OrderManager.updateOrder() Release Order synchronization End Transaction Release lock-manager write lock on profile id from the /atg/commerce/order/LocalLockManager     ...
Post a Comment
Read more

ATG search installation and search engine log files

Here I would like to explain how your ATG search folder structure looks like after you do the ATG search installation and also about the search engine log files. To get the ATG search, you need to install the ATGSearch<version>Windows.exe after you do the ATG installation. When you install ATG search, the generated folders include an OS dependant folder. In the below screen shot, you could see the "i686-win32-vc71" folder and this is generated since the ATG search ins installed in a windows machine. The ATG search engine is actually an exe file inside this "i686-win32-vc71" folder. Below screen shot give you an idea about the "atgsearch.exe", which is the search engine application. This search engine application (atgsearch.exe) is started by a remote launcher call from the BCC search administration UI.  The log files like "atgsearch_20120106112413_568.log" are the search engine log files where you could see the engine ...
2 comments
Read more