Uploaded image for project: 'Syncope'
  1. Syncope
  2. SYNCOPE-374

SyncopeUser tokens do not use secure random strings

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 1.1.1
    • Fix Version/s: 1.1.2, 1.2.0-M1
    • Component/s: core
    • Labels:
      None

      Description

      The SyncopeUser.generateToken() function generates a token using the RandomStringUtils class. This class uses the normal java random class, which uses the current time in milliseconds as seed.

      This means that the generated tokens can be predicted by an attacker. This forum post explains the issue: http://stackoverflow.com/questions/1741160/how-can-i-create-a-password
      It also lists some solutions.

      It is more secure to use a cryptographically secure string, as explained here:
      http://commons.apache.org/proper/commons-math/userguide/random.html

        Attachments

          Activity

            People

            • Assignee:
              massi Massimiliano Perrone
              Reporter:
              jessevanbekkum Jesse van Bekkum
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: