ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jacques Le Roux (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
Date Tue, 26 Sep 2017 07:21:00 GMT

    [ https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16180373#comment-16180373
] 

Jacques Le Roux commented on OFBIZ-6655:
----------------------------------------

Hi Deepak,

At r1722379 you reverted r1719762 (actually r1719939). You were right to do so for  RequesHandler
but not for the other files. Because it now does not handle security for cookies which are
not session cookies. It's minor but still a risk, notably for autoLoginCookie

At r1809687 I reapplied r1719762 for the other files to make other than session cookies secure.
I will not backport. More to come soon...

> Add session tracking mode and make cookie secure
> ------------------------------------------------
>
>                 Key: OFBIZ-6655
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-6655
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: ALL COMPONENTS
>    Affects Versions: Trunk, 14.12.01
>            Reporter: Deepak Dixit
>            Assignee: Deepak Dixit
>             Fix For: 14.12.01, 15.12.01
>
>         Attachments: OFBIA-6655.applications.patch, OFBIZ-6655.framework_themes.patch,
OFBIZ-6655_specialpurpose_leftover.patch, sessionConifg_ecommerce.patch
>
>
> Need to enhance security at web-app level. 
> As per current implementation:
> - The cookie containing the session identifier is not secure
> - The session identifier is transmitted in the query string of the URL
> To fix these issue we have to add following session config otpions in web.xml
> {code}
> <session-config>
> 	<cookie-config>
> 	    <http-only>true</http-only>
> 	    <secure>true</secure>
> 	</cookie-config>
> 	<tracking-mode>COOKIE</tracking-mode>
> </session-config>
> {code}
> Also we need to update the web-app servlet specification from 2.3 to 3.0
> {code}
> <web-app version="3.0"
>         xmlns="http://java.sun.com/xml/ns/javaee"
>         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>                             http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
> {code}
> https://tomcat.apache.org/whichversion.html



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message