Skip to main content

ATG - how to prevent Cross-Site attacks using _dynSessConf parameter


Cross-site scripting attacks take advantage of a vulnerability that enables a malicious site to use your browser to submit form requests to another site.

In order to protect forms from cross-site attacks in ATG, you can enable form submissions to automatically supply the request parameter _dynSessConf, which identifies the current session through a randomly generated long number. On submission of a form (using dsp:form tag) or activation of a property setting (using dsp:a tag), the request-handling pipeline ( DAFDropletEventServlet ) validates _dynSessConf  against its session confirmation identifier. If it detects a mismatch or missing number, it can block form processing and return an error.

To disable this functionality, we could give the following properties (@ /atg/dynamo/Configuration to disable it globally)
enforceSessionConfirmation = false -->  specifies whether the request-handling pipeline requires session confirmation in order to process the request; the default value is true.
warnOnSessionConfirmationFailure = false --> specifies whether to issue a warning on a confirmation number mismatch; the default value is true.

You can control session confirmation for individual requests by setting the attribute requiresSessionConfirmation to true or false on the applicable dsp:form or dsp:a tag. If this attribute is set to false, the _dynSessConf parameter is not included in the HTTP request and the request-handling pipeline skips validation of this request’s session confirmation number.
Labels:

Comments

  1. Anonymous15 May 2014 at 00:53

    http://docs.oracle.com/cd/E24152_01/Platform.10-1/ATGBusCommRefGuide/html/s1402sessionexpirationfromlackofusera01.html

    Can we handle 409 conflict using CheckSessionExpiration?
    I tried this. But before reaching request to pipeline,web.xml redirect to url mention there.

    ReplyDelete

Post a Comment

Popular posts from this blog

How to convert your Blogger Blog to PDF ?

You can use a website called "blogbooker" @  http://www.blogbooker.com/blogger.php   to convert your Blogger Blog to a PDF . Please find the steps below : 1. Save your blog as an xml using Blogger Settings - Other - Export Blog option 2. Go to the website " http://www.blogbooker.com/blogger.php " and select this XML , give your blog address and select the options like date range, page size, font, ... 3. Click the  "Create Your BlogBook" button to view and save your blog as PDF
4 comments
Read more

ATG Product Catalog schema ER diagram

Check out the O rder schema ER-Diagram @   http://tips4ufromsony.blogspot.in/2012/02/atg-order-schema-er-diagram.html Check out the User Profile  schema ER-Diagram @ http://tips4ufromsony.blogspot.in/2012/03/atg-user-profile-schema-er-diagram.html If you would like to know the relationship between different Product Catalog tables, please find below screen shots of  Product Catalog schema ER Diagrams.
3 comments
Read more

Google Chrome shortcut keys

If you are a Google Chromey guy, please find below the list of shortcut keys for some of the most used features  :-) Find more shortcut keys @  http://www.google.com/support/chrome/bin/static.py?page=guide.cs&guide=25799&topic=28650
4 comments
Read more

ATG - how to create and deploy a new atg module

ATG products are packaged as a number of separate application modules. Application modules exist in the ATG installation as a set of directories defined by a manifest file. To create a new module, follow the below steps : Create a module directory within your ATG installation.  Create a META-INF directory within the module directory. Note that this directory must be named META-INF.  Create a manifest file named MANIFEST.MF and include it in the META-INF directory for the module. The manifest contains the meta-data describing the module. A module located at <ATG2007.1dir>/MyModule is named MyModule and a module located at <ATG2007.1dir>/CustomModules/MyModule is named CustomModules.MyModule. Within the subdirectory that holds the module, any number of files may reside in any desired order. These files are the module resources (EAR files for J2EE applications, WAR files for web applications, EJB-JAR files for Enterprise JavaBeans, JAR files of Java class...
4 comments
Read more

Advance Tax/Self Assesment Tax and Interest u/s 234B and 234C

Read more about Tax filing @  http://tips4ufromsony.blogspot.com/2011/07/income-tax-process-and-e-filing.html  . If you are a salaried person there is tax deduction at source (TDS), which takes care of the tax payments for your salary. At the same time, there will be additional liabilities for income like interest on deposits, bonds and even capital gains which might require you to pay Advance Tax. Advance tax has to be paid in several installments in September, December and March. Self-assessment tax is the difference between the tax paid and the tax payable.You can figure out the self-assessment tax amount when you make the final income tax calculation. There is no specific date for paying this tax but it has to be done before you file your income tax return so that no further amount of tax remains to be paid. While computing advance tax, income-tax on the current income has to be first determined and the tax on such income has to be determined. As per section 208, adva...
Post a Comment
Read more