Can you keep a secret?

If you are developing applications that use CSP or Zen, or potentially any of the other InterSystems web-related stuff that's built on top of CSP, then it's important to know how to keep one particular secret.

A central part of the CSP security architecture is a server-side session key. "Server-side" because its value should never be revealed to the client that is issuing the web requests. If it is revealed, a malicious client might be able to use it to bypass your security and make your server do things you don't want it to.

Your session key is available as a property named Key of your %CSP.Session object. In other words, in your server-side code it is typically available as %session.Key

The documentation for the Key property states:

Stores the encryption key used to validate and secure the communication with the browser. This key never leaves Cache.

In order to "keep a secret" you must make sure that nothing you write (or use) ever transmits the value of that property to the client in a readable form.

Vote up!
Vote down!

Rating: 6


See also this post about a circumstance in which your system will not be assigning unique and secret keys.

Vote up!
Vote down!

Rating: 0