You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2017/09/26 07:17:40 UTC
svn commit: r1809687 - in /ofbiz/ofbiz-framework/trunk:
applications/marketing/src/main/java/org/apache/ofbiz/marketing/tracking/
applications/order/src/main/java/org/apache/ofbiz/order/shoppinglist/
applications/securityext/src/main/java/org/apache/of...
Author: jleroux
Date: Tue Sep 26 07:17:40 2017
New Revision: 1809687
URL: http://svn.apache.org/viewvc?rev=1809687&view=rev
Log:
Improved: Add session tracking mode and make cookie secure
(OFBIZ-6655)
This is somehow related with OFBIZ-6655 because it's there that Deepak reverted
r1719762 (actually r1719939). It was right to do so at r1722379 for
RequesHandler but not for the other files. Because it now does not handle
security for cookies which are not session cookies. It's minor but still a risk,
notably for autoLoginCookie
This reapplies r1719762 for the other files to make other than session cookies
secure. I will not backport
Modified:
ofbiz/ofbiz-framework/trunk/applications/marketing/src/main/java/org/apache/ofbiz/marketing/tracking/TrackingCodeEvents.java
ofbiz/ofbiz-framework/trunk/applications/order/src/main/java/org/apache/ofbiz/order/shoppinglist/ShoppingListEvents.java
ofbiz/ofbiz-framework/trunk/applications/securityext/src/main/java/org/apache/ofbiz/securityext/login/LoginEvents.java
ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java
ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/stats/VisitHandler.java
Modified: ofbiz/ofbiz-framework/trunk/applications/marketing/src/main/java/org/apache/ofbiz/marketing/tracking/TrackingCodeEvents.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/applications/marketing/src/main/java/org/apache/ofbiz/marketing/tracking/TrackingCodeEvents.java?rev=1809687&r1=1809686&r2=1809687&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/applications/marketing/src/main/java/org/apache/ofbiz/marketing/tracking/TrackingCodeEvents.java (original)
+++ ofbiz/ofbiz-framework/trunk/applications/marketing/src/main/java/org/apache/ofbiz/marketing/tracking/TrackingCodeEvents.java Tue Sep 26 07:17:40 2017
@@ -228,6 +228,8 @@ public class TrackingCodeEvents {
if (trackableLifetime.longValue() > 0) trackableCookie.setMaxAge(trackableLifetime.intValue());
trackableCookie.setPath("/");
if (cookieDomain.length() > 0) trackableCookie.setDomain(cookieDomain);
+ trackableCookie.setSecure(true);
+ trackableCookie.setHttpOnly(true);
response.addCookie(trackableCookie);
}
@@ -238,6 +240,8 @@ public class TrackingCodeEvents {
if (billableLifetime.longValue() > 0) billableCookie.setMaxAge(billableLifetime.intValue());
billableCookie.setPath("/");
if (cookieDomain.length() > 0) billableCookie.setDomain(cookieDomain);
+ billableCookie.setSecure(true);
+ billableCookie.setHttpOnly(true);
response.addCookie(billableCookie);
}
@@ -264,13 +268,17 @@ public class TrackingCodeEvents {
siteIdCookie.setMaxAge(siteIdCookieAge);
siteIdCookie.setPath("/");
if (cookieDomain.length() > 0) siteIdCookie.setDomain(cookieDomain);
- response.addCookie(siteIdCookie);
+ siteIdCookie.setSecure(true);
+ siteIdCookie.setHttpOnly(true);
+ response.addCookie(siteIdCookie);
// if trackingCode.siteId is not null write a trackable cookie with name in the form: Ofbiz.TKCSiteId and timeout will be 60 * 60 * 24 * 365
Cookie updatedTimeStampCookie = new Cookie("Ofbiz.TKCD.UpdatedTimeStamp" ,UtilDateTime.nowTimestamp().toString());
updatedTimeStampCookie.setMaxAge(siteIdCookieAge);
updatedTimeStampCookie.setPath("/");
if (cookieDomain.length() > 0) updatedTimeStampCookie.setDomain(cookieDomain);
- response.addCookie(updatedTimeStampCookie);
+ updatedTimeStampCookie.setSecure(true);
+ updatedTimeStampCookie.setHttpOnly(true);
+ response.addCookie(updatedTimeStampCookie);
}
}
Modified: ofbiz/ofbiz-framework/trunk/applications/order/src/main/java/org/apache/ofbiz/order/shoppinglist/ShoppingListEvents.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/applications/order/src/main/java/org/apache/ofbiz/order/shoppinglist/ShoppingListEvents.java?rev=1809687&r1=1809686&r2=1809687&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/applications/order/src/main/java/org/apache/ofbiz/order/shoppinglist/ShoppingListEvents.java (original)
+++ ofbiz/ofbiz-framework/trunk/applications/order/src/main/java/org/apache/ofbiz/order/shoppinglist/ShoppingListEvents.java Tue Sep 26 07:17:40 2017
@@ -664,6 +664,8 @@ public class ShoppingListEvents {
Cookie guestShoppingListCookie = new Cookie(guestShoppingUserName, autoSaveListId);
guestShoppingListCookie.setMaxAge(cookieAge);
guestShoppingListCookie.setPath("/");
+ guestShoppingListCookie.setSecure(true);
+ guestShoppingListCookie.setHttpOnly(true);
response.addCookie(guestShoppingListCookie);
}
}
@@ -687,6 +689,8 @@ public class ShoppingListEvents {
Cookie guestShoppingListCookie = new Cookie(guestShoppingUserName, null);
guestShoppingListCookie.setMaxAge(0);
guestShoppingListCookie.setPath("/");
+ guestShoppingListCookie.setSecure(true);
+ guestShoppingListCookie.setHttpOnly(true);
response.addCookie(guestShoppingListCookie);
return "success";
}
Modified: ofbiz/ofbiz-framework/trunk/applications/securityext/src/main/java/org/apache/ofbiz/securityext/login/LoginEvents.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/applications/securityext/src/main/java/org/apache/ofbiz/securityext/login/LoginEvents.java?rev=1809687&r1=1809686&r2=1809687&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/applications/securityext/src/main/java/org/apache/ofbiz/securityext/login/LoginEvents.java (original)
+++ ofbiz/ofbiz-framework/trunk/applications/securityext/src/main/java/org/apache/ofbiz/securityext/login/LoginEvents.java Tue Sep 26 07:17:40 2017
@@ -438,6 +438,8 @@ public class LoginEvents {
cookie.setMaxAge(60 * 60 * 24 * 365);
cookie.setPath("/");
cookie.setDomain(domain);
+ cookie.setSecure(true);
+ cookie.setHttpOnly(true);
response.addCookie(cookie);
}
}
Modified: ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java?rev=1809687&r1=1809686&r2=1809687&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java (original)
+++ ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java Tue Sep 26 07:17:40 2017
@@ -686,6 +686,8 @@ public class LoginWorker {
autoLoginCookie.setMaxAge(60 * 60 * 24 * 365);
autoLoginCookie.setDomain(domain);
autoLoginCookie.setPath("/");
+ autoLoginCookie.setSecure(true);
+ autoLoginCookie.setHttpOnly(true);
response.addCookie(autoLoginCookie);
return autoLoginCheck(delegator, session, userLogin.getString("userLoginId"));
} else {
@@ -756,6 +758,8 @@ public class LoginWorker {
Cookie autoLoginCookie = new Cookie(getAutoLoginCookieName(request), userLogin.getString("userLoginId"));
autoLoginCookie.setMaxAge(0);
autoLoginCookie.setPath("/");
+ autoLoginCookie.setSecure(true);
+ autoLoginCookie.setHttpOnly(true);
response.addCookie(autoLoginCookie);
}
// remove the session attributes
Modified: ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/stats/VisitHandler.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/stats/VisitHandler.java?rev=1809687&r1=1809686&r2=1809687&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/stats/VisitHandler.java (original)
+++ ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/stats/VisitHandler.java Tue Sep 26 07:17:40 2017
@@ -274,6 +274,8 @@ public class VisitHandler {
Cookie visitorCookie = new Cookie(visitorCookieName, visitor.getString("visitorId"));
visitorCookie.setMaxAge(60 * 60 * 24 * 365);
visitorCookie.setPath("/");
+ visitorCookie.setSecure(true);
+ visitorCookie.setHttpOnly(true);
response.addCookie(visitorCookie);
}
}