Skip to main content

ATG - how to prevent Cross-Site attacks using _dynSessConf parameter


Cross-site scripting attacks take advantage of a vulnerability that enables a malicious site to use your browser to submit form requests to another site.

In order to protect forms from cross-site attacks in ATG, you can enable form submissions to automatically supply the request parameter _dynSessConf, which identifies the current session through a randomly generated long number. On submission of a form (using dsp:form tag) or activation of a property setting (using dsp:a tag), the request-handling pipeline ( DAFDropletEventServlet ) validates _dynSessConf  against its session confirmation identifier. If it detects a mismatch or missing number, it can block form processing and return an error.

To disable this functionality, we could give the following properties (@ /atg/dynamo/Configuration to disable it globally)
enforceSessionConfirmation = false -->  specifies whether the request-handling pipeline requires session confirmation in order to process the request; the default value is true.
warnOnSessionConfirmationFailure = false --> specifies whether to issue a warning on a confirmation number mismatch; the default value is true.

You can control session confirmation for individual requests by setting the attribute requiresSessionConfirmation to true or false on the applicable dsp:form or dsp:a tag. If this attribute is set to false, the _dynSessConf parameter is not included in the HTTP request and the request-handling pipeline skips validation of this request’s session confirmation number.
Labels:

Comments

  1. Anonymous15 May 2014 at 00:53

    http://docs.oracle.com/cd/E24152_01/Platform.10-1/ATGBusCommRefGuide/html/s1402sessionexpirationfromlackofusera01.html

    Can we handle 409 conflict using CheckSessionExpiration?
    I tried this. But before reaching request to pipeline,web.xml redirect to url mention there.

    ReplyDelete

Post a Comment

Popular posts from this blog

How to convert your Blogger Blog to PDF ?

You can use a website called "blogbooker" @  http://www.blogbooker.com/blogger.php   to convert your Blogger Blog to a PDF . Please find the steps below : 1. Save your blog as an xml using Blogger Settings - Other - Export Blog option 2. Go to the website " http://www.blogbooker.com/blogger.php " and select this XML , give your blog address and select the options like date range, page size, font, ... 3. Click the  "Create Your BlogBook" button to view and save your blog as PDF
4 comments
Read more

ATG License Files and Oracle Software Delivery Cloud

Oracle no longer generates license keys that are specific to your IP address(es). Oracle now provides generic license files that enable you to fully utilize all of the features for which you are licensed. Please find the ATG License files for different ATG versions @ http://www.oracle.com/us/support/licensecodes/atg/index. @ Oracle Software Delivery Cloud , you can find downloads for all licensable Oracle products –> https://edelivery.oracle.com/ Please find below a screen shot for ATG products download :
Post a Comment
Read more

Eclipse plug-in to create Class and Sequence diagrams

ModelGoon is an Eclipse plug-in avaiable for UML diagram generation from Java code. It can be used to generate Package Dependencies Diagram, Class Diagram, Interaction Diagram and Sequence Diagram. You coud get it from http://marketplace.eclipse.org/content/modelgoon-uml4java Read more about it and see some vedios about how to create the class and sequence diagram @ http://www.modelgoon.org/?tag=eclipse-plugin Find some snapshots below which gives an idea about the diagram generation.
8 comments
Read more

ATG Product Catalog schema ER diagram

Check out the O rder schema ER-Diagram @   http://tips4ufromsony.blogspot.in/2012/02/atg-order-schema-er-diagram.html Check out the User Profile  schema ER-Diagram @ http://tips4ufromsony.blogspot.in/2012/03/atg-user-profile-schema-er-diagram.html If you would like to know the relationship between different Product Catalog tables, please find below screen shots of  Product Catalog schema ER Diagrams.
3 comments
Read more

Working Environment

It is always good to think about your working environment. Here I am listing mine,  expecting your comments to add other necessary tools to this list. Anti Virus Avast  –> http://www.avast.com/free-antivirus-download Avira  –> http://www.avira.com/en/avira-free-antivirus AVG  –> http://www.freeavg.com/?lng=in-en&cmpid=free Kaspersky  –> http://www.kaspersky.com/ McAfee  –> http://www.mcafee.com/us/ Symantec  –> http://www.symantec.com/index.jsp Application Server JBoss  –>   http://www.jboss.org/jbossas/ Tomcat –>   http://tomcat.apache.org/ Weblogic –>   http://www.oracle.com/technetwork/middleware/weblogic Browser Firefox –>   http://www.mozilla.com/en-US/firefox Google Chrome  –> http://www.google.com/chrome/ IE  –>   http://windows.microsoft.com/en-US/internet-explorer/downloads/ie Communication_Network IPMessenger –>   http://ipmsg.org/index.html.en Putty –>   http://www.chiark.greenend.org.uk/~sgtatham/putty
Post a Comment
Read more