Skip to main content

ATG - how to prevent Cross-Site attacks using _dynSessConf parameter


Cross-site scripting attacks take advantage of a vulnerability that enables a malicious site to use your browser to submit form requests to another site.

In order to protect forms from cross-site attacks in ATG, you can enable form submissions to automatically supply the request parameter _dynSessConf, which identifies the current session through a randomly generated long number. On submission of a form (using dsp:form tag) or activation of a property setting (using dsp:a tag), the request-handling pipeline ( DAFDropletEventServlet ) validates _dynSessConf  against its session confirmation identifier. If it detects a mismatch or missing number, it can block form processing and return an error.

To disable this functionality, we could give the following properties (@ /atg/dynamo/Configuration to disable it globally)
enforceSessionConfirmation = false -->  specifies whether the request-handling pipeline requires session confirmation in order to process the request; the default value is true.
warnOnSessionConfirmationFailure = false --> specifies whether to issue a warning on a confirmation number mismatch; the default value is true.

You can control session confirmation for individual requests by setting the attribute requiresSessionConfirmation to true or false on the applicable dsp:form or dsp:a tag. If this attribute is set to false, the _dynSessConf parameter is not included in the HTTP request and the request-handling pipeline skips validation of this request’s session confirmation number.
Labels:

Comments

  1. Anonymous15 May 2014 at 00:53

    http://docs.oracle.com/cd/E24152_01/Platform.10-1/ATGBusCommRefGuide/html/s1402sessionexpirationfromlackofusera01.html

    Can we handle 409 conflict using CheckSessionExpiration?
    I tried this. But before reaching request to pipeline,web.xml redirect to url mention there.

    ReplyDelete

Post a Comment

Popular posts from this blog

ATG - more about Forms and Form Handlers

An ATG form is defined by the dsp:form tag, which typically encloses DSP tags that specify form elements, such as dsp:input that provide direct access to Nucleus component properties. Find below a sample dsp:form tag.    <dsp:form action="/testPages/showPersonProperties.jsp" method="post" target="_top">      <p>Name: <dsp:input bean="/samples/Person.name" type="text"/>      <p>Age: <dsp:input bean="/samples/Person.age" type="text" value="30"/>      <p><dsp:input type="submit" bean="/samples/Person.submit"/> value="Click to submit"/>    </dsp:form>   When the user submits the form, the /samples/Person.name property is set to the value entered in the input field.Unlike standard HTML, which requires the name attribute for most input tags; the name attribute is optional for DSP form element tags. If an input tag omits the n...
11 comments
Read more

ATG Search - high level overview of product-catalog-output-config.xml and XHTMLs

The definition file format begins with a top-level item element that specifies the repository and item descriptor to use, and then lists the properties of that item type to include. The top-level item element has the is-document attribute set to true. This attribute specifies that an XHTML document should be generated for each item of that type (in this case, each user item). Property values that come from standard JavaBean properties of the RepositoryItem object (rather than dynamic bean properties) are specified using a dollar-sign ($) prefix. The item element has an is-multi attribute for specifying multi-value properties. If a property is an Array, Collection or Map  you should set this attribute to true. Eeach ATG Search document is uniquely identified by a URL (typically the path name of the file on the file system). In the XHTML documents that the ATG platform generates from repository items, meta properties are represented by meta tags in the head of the document, whi...
Post a Comment
Read more

Eclipse plug-in to create Class and Sequence diagrams

ModelGoon is an Eclipse plug-in avaiable for UML diagram generation from Java code. It can be used to generate Package Dependencies Diagram, Class Diagram, Interaction Diagram and Sequence Diagram. You coud get it from http://marketplace.eclipse.org/content/modelgoon-uml4java Read more about it and see some vedios about how to create the class and sequence diagram @ http://www.modelgoon.org/?tag=eclipse-plugin Find some snapshots below which gives an idea about the diagram generation.
8 comments
Read more

Google Chrome shortcut keys

If you are a Google Chromey guy, please find below the list of shortcut keys for some of the most used features  :-) Find more shortcut keys @  http://www.google.com/support/chrome/bin/static.py?page=guide.cs&guide=25799&topic=28650
4 comments
Read more

Eclipse Juno - good features of Eclipse 4.2 ( Eclipse Juno ) JDT/Workbench

Global search bar The workbench now has a global search field in the tool bar. Multi-drag sash You can now place the cursor at the intersection of two or more sashes and drag them all at the same time. When you are going to be dragging multiple sashes, the cursor will change to one with 4-way arrows. The image below indicates one such intersection with a red circle. Ant updated to 1.8.3 and JUnit to 4.10 The bundled version of Apache Ant in the platform has been updated to version 1.8.3. The JUnit 4 version shipped with Eclipse has been updated to 4.10. CamelCase in Quick Outline The Quick Outline (Ctrl+O) and Quick Hierarchy (Ctrl+T) in the Java Editor now also support camelCase matching on the element name, quite similar to the Open Type dialog and Content Assist. Quick Assist to convert enhanced for loop Ever encountered an enhanced for loop and needed access to the Iterator or to the loop index? Now, you can just use a Quick Assist (Ctrl+1)...
Post a Comment
Read more