Reputation: 1
Liferay lfr_session_state cookie
I am new to Liferay. Our recent penetration tests on our application reported a session fixation vulnerability with lfr_session_state cookie. Have not found online resources on what the purpose of this cookie is. Could anyone throw some light on what this cookie is and the purpose of it?
Thanks
Upvotes: 0
Views: 2543
Answers (1)
Reputation: 982
LFR_SESSION_STATE_* cookies are created and managed from client-side javascript (session.js code) and they are used only for controlling timestamp of user session expiration: a javascript warning is displayed to user when its session is about to expire or expired, without doing any request to Liferay server.
As they are not sent to server and they only control session timeout warning, they are not problematic.
They are not configured with the "httpOnly" or "secure" flags as they are a client-only cookie.
Upvotes: 2
Related Questions
- Setting sessiontimeout in Liferay 6.1
- Liferay 7 not able to set the global session attribute
- set session cookie secure and httpOnly for LFR_SESSION_STATE_%
- Getting Liferay CookieNotSupportedException
- Liferay: How to add cookie from portlet from doEdit(RenderRequest req,RenderResponse res)
- How do I use autologin cookie in liferay?
- Liferay Session Management
- Liferay: How to add cookie from portlet
- How to set a Cookie in Liferay portlet?
- Session Management in Liferay