Bug 45390 - UMC stores the username in cookie, causes privacy problems
UMC stores the username in cookie, causes privacy problems
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UMC (Generic)
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2-2-errata
Assigned To: Florian Best
Johannes Keiser
:
Depends on:
Blocks: 45461
  Show dependency treegraph
 
Reported: 2017-09-14 10:45 CEST by Florian Best
Modified: 2017-09-27 12:16 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number: 2017091321000684
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2017-09-14 10:45:20 CEST
Es wurde festgestellt, dass die Webapplikation personenbezogene Daten innerhalb eines Cookies im Klartext speichert. Dies kann ein Datenschutz Issue darstellen, wenn diese Cookies beispielsweise in Logdateien protokolliert werden.

Neben der ID wird auch der Name des Benutzers im Klartext gespeichert. Dies stellt uns vor Datenschutz-rechtliche Probleme, welche Zeitnah gelöst werden müssen.
Comment 1 Florian Best univentionstaff 2017-09-14 11:26:49 CEST
We are using this feature to fill the login field with the last username. Maybe we can move this into a HTML5 storage? But there is still one place in the backend where it is used:
univention-management-console-web-server:647:»   »   self.set_cookies(('UMCSessionId', sessionid), ('UMCUsername', username))
Comment 2 Nico Stöckigt univentionstaff 2017-09-14 13:58:40 CEST
Maybe we can use a 'remember_me' Option to en/disable this behavior in the Login dialog?
Comment 3 Florian Best univentionstaff 2017-09-14 17:55:19 CEST
A draft has been commited: https://git.knut.univention.de/univention/ucs/tree/fbest/45390-username-cookie

This patch will remove the cookie after each response immediately and stores the value in a HTML 5 storage.
Comment 4 Florian Best univentionstaff 2017-09-18 14:31:22 CEST
I exchanged the UMCUsername cookie with a HTML5 storage value.
The cookie is removed if the backend sends it to the frontend and stores it in the storage.

univention-web (1.0.42-43):
c710053a0d9c386aceee99b6fa21a03f3bf2f276 | Merge branch 'fbest/45390-username-cookie-2' into 4.2-2
78fa104ec4fa3fe2f67bfab04450bf41dbf08cd2 | Bug #45390: replace username cookie with HTML5 storage
Comment 5 Johannes Keiser univentionstaff 2017-09-19 12:37:50 CEST
OK Username is now stored in localStorage instead as cookie
OK If a cookie for the username existed it gets deleted

YAML entry is missing
Comment 6 Florian Best univentionstaff 2017-09-19 12:59:27 CEST
univention-web.yaml:
04320a066bc214842752dd50b942f6b5b687338f | YAML Bug #45390
Comment 7 Johannes Keiser univentionstaff 2017-09-19 13:09:01 CEST
OK YAML
-> verified
Comment 8 Erik Damrose univentionstaff 2017-09-20 15:04:09 CEST
<http://errata.software-univention.de/ucs/4.2/179.html>