You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2017/10/18 15:01:04 UTC
svn commit: r1812540 - in
/ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control:
RequestHandler.java WebAppServletContextListener.java
Author: jleroux
Date: Wed Oct 18 15:01:04 2017
New Revision: 1812540
URL: http://svn.apache.org/viewvc?rev=1812540&view=rev
Log:
Improved: Enhance cookies security
(OFBIZ-9865)
Working on OFBIZ-6766, I was reading
https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#SameSite_Attribute
and decided to slightly improve our cookies security
Modified:
ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/WebAppServletContextListener.java
Modified: ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java?rev=1812540&r1=1812539&r2=1812540&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java (original)
+++ ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java Wed Oct 18 15:01:04 2017
@@ -978,6 +978,8 @@ public class RequestHandler {
// https://wiki.mozilla.org/Security/Features/XSS_Filter
// https://bugzilla.mozilla.org/show_bug.cgi?id=528661
resp.addHeader("X-XSS-Protection","1; mode=block");
+
+ resp.setHeader("Set-Cookie", "SameSite=strict"); // TODO maybe one day the ServletContext will allow to do that, then better in WebAppServletContextListener
try {
if (Debug.verboseOn()) Debug.logVerbose("Rendering view [" + nextPage + "] of type [" + viewMap.type + "]", module);
Modified: ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/WebAppServletContextListener.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/WebAppServletContextListener.java?rev=1812540&r1=1812539&r2=1812540&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/WebAppServletContextListener.java (original)
+++ ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/WebAppServletContextListener.java Wed Oct 18 15:01:04 2017
@@ -27,6 +27,8 @@ import javax.servlet.SessionCookieConfig
import javax.servlet.SessionTrackingMode;
import javax.servlet.annotation.WebListener;
+import org.apache.ofbiz.base.util.UtilProperties;
+
@WebListener
public class WebAppServletContextListener implements ServletContextListener {
@@ -40,6 +42,11 @@ public class WebAppServletContextListene
SessionCookieConfig sessionCookieConfig = servletContext.getSessionCookieConfig();
sessionCookieConfig.setHttpOnly(true);
sessionCookieConfig.setSecure(true);
+ sessionCookieConfig.setComment("Created by Apache OFBiz WebAppServletContextListener");
+ String cookieDomain = UtilProperties.getPropertyValue("url", "cookie.domain", "");
+ if (cookieDomain.length() > 0) sessionCookieConfig.setDomain(cookieDomain);
+ sessionCookieConfig.setMaxAge(60 * 60 * 24 * 365);
+ sessionCookieConfig.setPath(servletContext.getContextPath());
}
/* (non-Javadoc)