You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "Jacques Le Roux (JIRA)" <ji...@apache.org> on 2017/09/26 08:44:01 UTC
[jira] [Comment Edited] (OFBIZ-6655) Add session tracking mode and
make cookie secure
[ https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16180420#comment-16180420 ]
Jacques Le Roux edited comment on OFBIZ-6655 at 9/26/17 8:43 AM:
-----------------------------------------------------------------
Thanks Jacques,
was (Author: deepak.dixit):
Thanks Jaacques,
> Add session tracking mode and make cookie secure
> ------------------------------------------------
>
> Key: OFBIZ-6655
> URL: https://issues.apache.org/jira/browse/OFBIZ-6655
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
> Affects Versions: Trunk, 14.12.01
> Reporter: Deepak Dixit
> Assignee: Jacques Le Roux
> Fix For: 14.12.01, 15.12.01
>
> Attachments: OFBIA-6655.applications.patch, OFBIZ-6655.framework_themes.patch, OFBIZ-6655-programmatically-session-cookies-plugins.patch, OFBIZ-6655-programmatically-session-cookies-trunk.patch, OFBIZ-6655_specialpurpose_leftover.patch, sessionConifg_ecommerce.patch
>
>
> Need to enhance security at web-app level.
> As per current implementation:
> - The cookie containing the session identifier is not secure
> - The session identifier is transmitted in the query string of the URL
> To fix these issue we have to add following session config otpions in web.xml
> {code}
> <session-config>
> <cookie-config>
> <http-only>true</http-only>
> <secure>true</secure>
> </cookie-config>
> <tracking-mode>COOKIE</tracking-mode>
> </session-config>
> {code}
> Also we need to update the web-app servlet specification from 2.3 to 3.0
> {code}
> <web-app version="3.0"
> xmlns="http://java.sun.com/xml/ns/javaee"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
> {code}
> https://tomcat.apache.org/whichversion.html
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)