Skip to main content

ATG - how to prevent Cross-Site attacks using _dynSessConf parameter


Cross-site scripting attacks take advantage of a vulnerability that enables a malicious site to use your browser to submit form requests to another site.

In order to protect forms from cross-site attacks in ATG, you can enable form submissions to automatically supply the request parameter _dynSessConf, which identifies the current session through a randomly generated long number. On submission of a form (using dsp:form tag) or activation of a property setting (using dsp:a tag), the request-handling pipeline ( DAFDropletEventServlet ) validates _dynSessConf  against its session confirmation identifier. If it detects a mismatch or missing number, it can block form processing and return an error.

To disable this functionality, we could give the following properties (@ /atg/dynamo/Configuration to disable it globally)
enforceSessionConfirmation = false -->  specifies whether the request-handling pipeline requires session confirmation in order to process the request; the default value is true.
warnOnSessionConfirmationFailure = false --> specifies whether to issue a warning on a confirmation number mismatch; the default value is true.

You can control session confirmation for individual requests by setting the attribute requiresSessionConfirmation to true or false on the applicable dsp:form or dsp:a tag. If this attribute is set to false, the _dynSessConf parameter is not included in the HTTP request and the request-handling pipeline skips validation of this request’s session confirmation number.
Labels:

Comments

  1. Anonymous15 May 2014 at 00:53

    http://docs.oracle.com/cd/E24152_01/Platform.10-1/ATGBusCommRefGuide/html/s1402sessionexpirationfromlackofusera01.html

    Can we handle 409 conflict using CheckSessionExpiration?
    I tried this. But before reaching request to pipeline,web.xml redirect to url mention there.

    ReplyDelete

Post a Comment

Popular posts from this blog

Search Facets - how to create a new search facets in ATG Search

A Facet is a search refinement element that corresponds to a property of a commerce item type. ATG supports the search result refinement using the Faceted Search concept. Read more about facted search @  http://en.wikipedia.org/wiki/Faceted_search . Facet can either be ranges or specific values. Each facet is stored in the RefinementRepository as a separate refineElement repository item. Facets are divided into Global and Local facets. Global facets apply to all the categories and local facets only to the category in which they are created. For example Price/Brand can be considered as the facets that are common for all skus and New Release/Coming Soon can be considered as the facets that are specific to Physical Media products like Vidoe/DVD/Blue-ray/Books. We can use the ATG BCC - Merchandising UI to create facets. The Faceting Property depends on the meta-properties defined in the \atg\commerce\search\product-catalog-output-config.xml ( the definitionFile of the \atg\commerce\s
4 comments
Read more

ATG - quick reference to commonly used DSP Tags

In this blog, I would like to give a quick reference to the most commonly used DSP Tags.Note that in this DSP tag details : bean refers to a Nucleus path, component name, and property name param refers to a Page parameter value refers to a Static-value var refers to a EL variable id refers to a scripting variable ============================================================== 1.dsp:importbean     example: <dsp:importbean bean="/atg/dynamo/droplet/Switch"/> ============================================================== 2.dsp:page     usage: It encloses a JSP. The dsp:page invokes the JSP handler, which calls the servlet pipeline and generates HTTPServletRequest.    example:    <dsp:page> ..... </dsp:page> ============================================================== 3.dsp:include     usage: Embeds a page fragment in a JSP.     example:   <dsp:include src="/myPage/ResultPage.jsp" flush="true">            
9 comments
Read more

GC Log Analyzer from IBM

This blog is about the GC( garbage collection) log analyzer from IBM. If you have a GC log and you want to analyze the file,  this IBM tool will help you with some graphical analyzer and some recommendations. You can download it from the following URL : https://www.ibm.com/support/pages/ibm-pattern-modeling-and-analysis-tool-java-garbage-collector-pmat Please find below some screenshots and details that might help you. 1. Screenshot 1: 2. Screenshot 2 : 3. Screenshot 3 : 4. Screenshot 4:
2 comments
Read more

ATG Search and Search engine activity log

We could use the SearchEngineActivity log files to get the request/response to the search engine from a commerce instance. This folder is located in each commerce instance or the instances from which the call to the search engine is done. The SearchEngineActivity log file folder can be configured @ SearchEngineService component ( /dyn/admin/nucleus/atg/search/routing/SearchEngineService). To get the log files for the search engine calls, you need to specify the SearchEngineService.dumpingRequests as true. Then you need to specify the engineActivityPath as the folder in which you need the SearchEngineActivity logs. Below you could find my SearchEngineActivity log folder. Each successful call to the search engine from the commerce instance will create 5 files in the SearchEngineActivity folder : namely  request, response, search engineinfo, stack trace and response row . Each file name start with a specific sequence. You could see that the file name like "2630436491482_
1 comment
Read more

ATG Search - how to create a search project

Here I am going to explain how we can create a new ATG search project. It involves 3 steps --> Specify the general search project settings, Specify the content of search indexing and Build the index. Below I am elaborating the different steps involved with screen shots : 1. Go to Search Project Administration ui @  BCC and Click the button "New Search Project" to create a new search project. 2. Specify the search project name, give description and click the button "Create Search Project". 3. Click the button "Add Content" to add the search project content. 4. Specify the content name, select the content type and specify the IndexingOutputConfig path if the content type is ATG repository. Specify the remote host and port if you are using another server for fetching the content. 5. Click the content in the left side and expand the advanced option to specify the language and other customizations. 6. Click the
2 comments
Read more