Hi All,


We had an app scanning and it was observed that the username is in cookie which should not be.


I took below from developer tools by pressing F12.


Is there a way to restrict the username in cookie.


Hi Ajithkumar,

This documentation presents an overview of all cookies which are created by default in Web Applications by OutSystems. None of them contain information such as username.

You should check whether you are creating custom cookies in your web application and what values you store inside them.

Regards,

Nordin

Hi Ajithkumar Radhakrishnan

if you check this document you will find this: Contains the user name of the end user making the request. This variable is instantiated during the login operation, whether you are using an explicit or implicit login. At logout, this session variable is assigned an empty text value.

But as Nordin Ahdi says, there is no very direct information about UserName.

Cheers,

Nuno


Nordin Ahdi wrote:

Hi Ajithkumar,

This documentation presents an overview of all cookies which are created by default in Web Applications by OutSystems. None of them contain information such as username.

You should check whether you are creating custom cookies in your web application and what values you store inside them.

Regards,

Nordin


Is this the same for mobile application as well. The one I had attached is of mobile application.

I dont see any cookie name with nr2Users syntax in the document shared.

And the environment in which in the application is running is of Java stack

Hi Ajithkumar,

Here’s the documentation with regard to the authentication cookies used in Mobile and Reactive Web apps.

As it states, the nr2<UserProviderName> cookie provides information about the user identifier via the built-in function GetUserId(). It should not contain the Username.

Regards,

Nordin

Nordin Ahdi wrote:

Hi Ajithkumar,

Here’s the documentation with regard to the authentication cookies used in Mobile and Reactive Web apps.

As it states, the nr2<UserProviderName> cookie provides information about the user identifier via the built-in function GetUserId(). It should not contain the Username.

Regards,

Nordin


Hi Nordin,

Documentation helps and I understand what is happening.

My question is, Is that not vulnerable having the username in cookies

For example: My username is OutsysAji

nr2Users cookie value is: kjkgjfulmlnkjg%&%&vjhfukhOutsysAji

Is that not vulnerable to have the user name appended at the end to the encryted cookie value.




Hello Aji,

any time you share sensitive information between screens, cookies included, you have the risk of a nefarious user using that information wrongly. So I would advise against having the Username in the cookie if you can prevent it.

If you have to use a username in the cookie, it might be better to hash it, so a nefarious user/hacker can't make sense of it. 

Hope this helps.

Wieger


-- Edit

I misread your question and ended up answering a rhetorical question. Thanks for the reprimand, Kilian. I will take care this won't happen again.

See you guys on the forum!

Wieger

@Wieger: please read before you post! Aji is detecting the use, not doing it himself!


@Ajithkumar: in general, the username is not seen as sensitive information, hence it's never hidden when you type it on the screen. However, I can understand your concerns, so I'd advise you to contact OutSystems via Support, and get their opinion.

Hi Ajithkumar,

I have just tried this out myself and I can indeed confirm this behavior. Both nr1 and nr2 authentication cookies are marked as Secure cookies so their value, including the username, should be encrypted. 

Now, it looks like their values are indeed encrypted, but the username gets appended in plain text after the encryption part is done.

I'm also curious to know why this is the case. So if you're planning on contacting support, like Kilian advises you to, please update this post with an answer.

Regards,

Nordin

Hi All,


Thanks for your help.


Yes as per my understanding on GDPR I think exposing and using of user name should not be done in cookie.


Instead it should be encrypted.


Yes I will create a support case to check with Outsystems product.


:-)

Thanks all for your patience and help.

Ajithkumar Radhakrishnan wrote:

Hi All,


Thanks for your help.


Yes as per my understanding on GDPR I think exposing and using of user name should not be done in cookie.


Instead it should be encrypted.


Yes I will create a support case to check with Outsystems product.


:-)

Thanks all for your patience and help.

 Hi Ajithkumar,

Have you received any update from outsytems on this case?.

Could you please update this post with an answer so that it would be helpful for all. 

Regards,

Sam