Univention Bugzilla – Bug 45390
UMC stores the username in cookie, causes privacy problems
Last modified: 2017-09-27 12:16:50 CEST
Es wurde festgestellt, dass die Webapplikation personenbezogene Daten innerhalb eines Cookies im Klartext speichert. Dies kann ein Datenschutz Issue darstellen, wenn diese Cookies beispielsweise in Logdateien protokolliert werden. Neben der ID wird auch der Name des Benutzers im Klartext gespeichert. Dies stellt uns vor Datenschutz-rechtliche Probleme, welche Zeitnah gelöst werden müssen.
We are using this feature to fill the login field with the last username. Maybe we can move this into a HTML5 storage? But there is still one place in the backend where it is used: univention-management-console-web-server:647:» » self.set_cookies(('UMCSessionId', sessionid), ('UMCUsername', username))
Maybe we can use a 'remember_me' Option to en/disable this behavior in the Login dialog?
A draft has been commited: https://git.knut.univention.de/univention/ucs/tree/fbest/45390-username-cookie This patch will remove the cookie after each response immediately and stores the value in a HTML 5 storage.
I exchanged the UMCUsername cookie with a HTML5 storage value. The cookie is removed if the backend sends it to the frontend and stores it in the storage. univention-web (1.0.42-43): c710053a0d9c386aceee99b6fa21a03f3bf2f276 | Merge branch 'fbest/45390-username-cookie-2' into 4.2-2 78fa104ec4fa3fe2f67bfab04450bf41dbf08cd2 | Bug #45390: replace username cookie with HTML5 storage
OK Username is now stored in localStorage instead as cookie OK If a cookie for the username existed it gets deleted YAML entry is missing
univention-web.yaml: 04320a066bc214842752dd50b942f6b5b687338f | YAML Bug #45390
OK YAML -> verified
<http://errata.software-univention.de/ucs/4.2/179.html>