You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ofbiz.apache.org by "Jacques Le Roux (JIRA)" <ji...@apache.org> on 2015/09/26 15:37:04 UTC

[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure

    [ https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14909280#comment-14909280 ] 

Jacques Le Roux commented on OFBIZ-6655:
----------------------------------------

Hi Deepak,

I don't think we need to put 
{code}
 <web-app version="3.0"
{code}
in our web.xml files (see https://tomcat.apache.org/tomcat-7.0-doc/appdev/web.xml.txt and https://download.oracle.com/otn-pub/jcp/servlet-3.0-fr-oth-JSpec/servlet-3_0-final-spec.pdf chapter 14
The issue I foresee is if we don't when we will upgrade Tomcat we will not need to update, it it will be automatically done.

On the other hand we could keep the rest (xmlns, etc.). Did I miss something?

> Add session tracking mode and make cookie secure
> ------------------------------------------------
>
>                 Key: OFBIZ-6655
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-6655
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: ALL COMPONENTS
>    Affects Versions: Trunk, 14.12.01
>            Reporter: Deepak Dixit
>            Assignee: Deepak Dixit
>
> Need to enhance security at web-app level. 
> As per current implementation:
> - The cookie containing the session identifier is not secure
> - The session identifier is transmitted in the query string of the URL
> To fix these issue we have to add following session config otpions in web.xml
> {code}
> <session-config>
> 	<cookie-config>
> 	    <http-only>true</http-only>
> 	    <secure>true</secure>
> 	</cookie-config>
> 	<tracking-mode>COOKIE</tracking-mode>
> </session-config>
> {code}
> Also we need to update the web-app servlet specification from 2.3 to 3.0
> {code}
> <web-app version="3.0"
>         xmlns="http://java.sun.com/xml/ns/javaee"
>         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>                             http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
> {code}
> https://tomcat.apache.org/whichversion.html



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)