You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "Jacques Le Roux (JIRA)" <ji...@apache.org> on 2017/09/26 08:42:01 UTC

[jira] [Updated] (OFBIZ-6655) Add session tracking mode and make cookie secure

     [ https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacques Le Roux updated OFBIZ-6655:
-----------------------------------
    Attachment: OFBIZ-6655-programmatically-session-cookies-plugins.patch
                OFBIZ-6655-programmatically-session-cookies-trunk.patch

I have attached 2 patches (trunk and plugin) to programmatically replaces the web.xml <session-config> declarations and uses the @WebListener annotation to start the process. This avoid to duplicates things everywhere in web.xml files. Since the web.xml files have precedence on annotations, the setting can be easily overriden when necessary.

Now that we also use HTTPS in ecommerce the ecommerce session cookie is also secured.
----
I also noted that we have 8 weird <session-timeout> declarations:
*  in solr component: <session-timeout>2</session-timeout>
*  in themes: <session-timeout>1</session-timeout>
Does somebody know why?

Also in Rainbowstone we lack the <cookie-config> and <tracking-mode> declarations. I think it's not good.

We can easily resolve these points by simply removing the <session-config> in web.xml files of themes and Solr. Without answers that's what I'll do.

> Add session tracking mode and make cookie secure
> ------------------------------------------------
>
>                 Key: OFBIZ-6655
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-6655
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: ALL COMPONENTS
>    Affects Versions: Trunk, 14.12.01
>            Reporter: Deepak Dixit
>            Assignee: Deepak Dixit
>             Fix For: 14.12.01, 15.12.01
>
>         Attachments: OFBIA-6655.applications.patch, OFBIZ-6655.framework_themes.patch, OFBIZ-6655-programmatically-session-cookies-plugins.patch, OFBIZ-6655-programmatically-session-cookies-trunk.patch, OFBIZ-6655_specialpurpose_leftover.patch, sessionConifg_ecommerce.patch
>
>
> Need to enhance security at web-app level. 
> As per current implementation:
> - The cookie containing the session identifier is not secure
> - The session identifier is transmitted in the query string of the URL
> To fix these issue we have to add following session config otpions in web.xml
> {code}
> <session-config>
> 	<cookie-config>
> 	    <http-only>true</http-only>
> 	    <secure>true</secure>
> 	</cookie-config>
> 	<tracking-mode>COOKIE</tracking-mode>
> </session-config>
> {code}
> Also we need to update the web-app servlet specification from 2.3 to 3.0
> {code}
> <web-app version="3.0"
>         xmlns="http://java.sun.com/xml/ns/javaee"
>         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>                             http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
> {code}
> https://tomcat.apache.org/whichversion.html



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)