ofbiz-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jacques Le Roux (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
Date Tue, 24 Nov 2015 06:12:10 GMT

    [ https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15023838#comment-15023838
] 

Jacques Le Roux commented on OFBIZ-6655:
----------------------------------------

I reverted r1715506 at revision: 1716036. The issues I crossed:

Get to localhost:8080/ecommerce/control/main
Add a product, instead of stating on the main page you get to the cart page despite having
the "Always View Cart After Adding An Item. " not checked. Then eg:

Scenario 1
Use the Recalculate option at top => You get "Your Shopping Cart Empty"

Scenario 2
Use the  Continue Shopping option at top => your cart is empty

Scenario 3
Use the checkout link on top
Login with DemoCustomer
Use the Quick Checkout option
Use the main link on top => your cart is empty


> Add session tracking mode and make cookie secure
> ------------------------------------------------
>
>                 Key: OFBIZ-6655
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-6655
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: ALL COMPONENTS
>    Affects Versions: Trunk, 14.12.01
>            Reporter: Deepak Dixit
>            Assignee: Deepak Dixit
>         Attachments: OFBIA-6655.applications.patch, OFBIZ-6655.framework_themes.patch,
sessionConifg_ecommerce.patch
>
>
> Need to enhance security at web-app level. 
> As per current implementation:
> - The cookie containing the session identifier is not secure
> - The session identifier is transmitted in the query string of the URL
> To fix these issue we have to add following session config otpions in web.xml
> {code}
> <session-config>
> 	<cookie-config>
> 	    <http-only>true</http-only>
> 	    <secure>true</secure>
> 	</cookie-config>
> 	<tracking-mode>COOKIE</tracking-mode>
> </session-config>
> {code}
> Also we need to update the web-app servlet specification from 2.3 to 3.0
> {code}
> <web-app version="3.0"
>         xmlns="http://java.sun.com/xml/ns/javaee"
>         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>                             http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
> {code}
> https://tomcat.apache.org/whichversion.html



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message