You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ofbiz.apache.org by "Deepak Dixit (JIRA)" <ji...@apache.org> on 2015/09/26 10:16:04 UTC

[jira] [Created] (OFBIZ-6655) Add sesstion tracking mode and make cookie secure

Deepak Dixit created OFBIZ-6655:
-----------------------------------

             Summary: Add sesstion tracking mode and make cookie secure
                 Key: OFBIZ-6655
                 URL: https://issues.apache.org/jira/browse/OFBIZ-6655
             Project: OFBiz
          Issue Type: Improvement
          Components: ALL COMPONENTS
    Affects Versions: Trunk, 14.12.01
            Reporter: Deepak Dixit
            Assignee: Deepak Dixit


Need to enhance security at web-app level. 
As per current implementation:
- The cookie containing the session identifier is not secure
- The session identifier is transmitted in the query string of the URL

To fix these issue we have to add following session config otpions in web.xml
{code}
<session-config>
	<cookie-config>
	    <http-only>true</http-only>
	    <secure>true</secure>
	</cookie-config>
	<tracking-mode>COOKIE</tracking-mode>
</session-config>
{code}

Also we need to update the web-app servlet specification from 2.3 to 3.0
{code}
<web-app version="3.0"
        xmlns="http://java.sun.com/xml/ns/javaee"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
                            http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
{code}
https://tomcat.apache.org/whichversion.html




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)