ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jacques Le Roux (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (OFBIZ-6655) Add session tracking mode and make cookie secure
Date Tue, 26 Sep 2017 08:42:01 GMT

     [ https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Jacques Le Roux updated OFBIZ-6655:
    Attachment: OFBIZ-6655-programmatically-session-cookies-plugins.patch

I have attached 2 patches (trunk and plugin) to programmatically replaces the web.xml <session-config>
declarations and uses the @WebListener annotation to start the process. This avoid to duplicates
things everywhere in web.xml files. Since the web.xml files have precedence on annotations,
the setting can be easily overriden when necessary.

Now that we also use HTTPS in ecommerce the ecommerce session cookie is also secured.
I also noted that we have 8 weird <session-timeout> declarations:
*  in solr component: <session-timeout>2</session-timeout>
*  in themes: <session-timeout>1</session-timeout>
Does somebody know why?

Also in Rainbowstone we lack the <cookie-config> and <tracking-mode> declarations.
I think it's not good.

We can easily resolve these points by simply removing the <session-config> in web.xml
files of themes and Solr. Without answers that's what I'll do.

> Add session tracking mode and make cookie secure
> ------------------------------------------------
>                 Key: OFBIZ-6655
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-6655
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: ALL COMPONENTS
>    Affects Versions: Trunk, 14.12.01
>            Reporter: Deepak Dixit
>            Assignee: Deepak Dixit
>             Fix For: 14.12.01, 15.12.01
>         Attachments: OFBIA-6655.applications.patch, OFBIZ-6655.framework_themes.patch,
OFBIZ-6655-programmatically-session-cookies-plugins.patch, OFBIZ-6655-programmatically-session-cookies-trunk.patch,
OFBIZ-6655_specialpurpose_leftover.patch, sessionConifg_ecommerce.patch
> Need to enhance security at web-app level. 
> As per current implementation:
> - The cookie containing the session identifier is not secure
> - The session identifier is transmitted in the query string of the URL
> To fix these issue we have to add following session config otpions in web.xml
> {code}
> <session-config>
> 	<cookie-config>
> 	    <http-only>true</http-only>
> 	    <secure>true</secure>
> 	</cookie-config>
> 	<tracking-mode>COOKIE</tracking-mode>
> </session-config>
> {code}
> Also we need to update the web-app servlet specification from 2.3 to 3.0
> {code}
> <web-app version="3.0"
>         xmlns="http://java.sun.com/xml/ns/javaee"
>         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>                             http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
> {code}
> https://tomcat.apache.org/whichversion.html

This message was sent by Atlassian JIRA

View raw message