Return-Path: <notifications-return-12726-archive-asf-public=cust-asf.ponee.io@ofbiz.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 266B5200D0E
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Tue, 26 Sep 2017 09:21:06 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id 24DB31609EA; Tue, 26 Sep 2017 07:21:06 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 67C051609B4
	for <archive-asf-public@cust-asf.ponee.io>; Tue, 26 Sep 2017 09:21:05 +0200 (CEST)
Received: (qmail 73930 invoked by uid 500); 26 Sep 2017 07:21:04 -0000
Mailing-List: contact notifications-help@ofbiz.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:notifications-help@ofbiz.apache.org>
List-Unsubscribe: <mailto:notifications-unsubscribe@ofbiz.apache.org>
List-Post: <mailto:notifications@ofbiz.apache.org>
List-Id: <notifications.ofbiz.apache.org>
Reply-To: dev@ofbiz.apache.org
Delivered-To: mailing list notifications@ofbiz.apache.org
Received: (qmail 73920 invoked by uid 99); 26 Sep 2017 07:21:04 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 26 Sep 2017 07:21:04 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 03DFFC3D59
	for <notifications@ofbiz.apache.org>; Tue, 26 Sep 2017 07:21:04 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -99.201
X-Spam-Level: 
X-Spam-Status: No, score=-99.201 tagged_above=-999 required=6.31
	tests=[KAM_ASCII_DIVIDERS=0.8, KAM_SHORT=0.001,
	RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100]
	autolearn=disabled
Received: from mx1-lw-eu.apache.org ([10.40.0.8])
	by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024)
	with ESMTP id SBYHJscv-tx5 for <notifications@ofbiz.apache.org>;
	Tue, 26 Sep 2017 07:21:03 +0000 (UTC)
Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139])
	by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id F1DF35F640
	for <notifications@ofbiz.apache.org>; Tue, 26 Sep 2017 07:21:02 +0000 (UTC)
Received: from jira-lw-us.apache.org (unknown [207.244.88.139])
	by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id B6593E0EEE
	for <notifications@ofbiz.apache.org>; Tue, 26 Sep 2017 07:21:01 +0000 (UTC)
Received: from jira-lw-us.apache.org (localhost [127.0.0.1])
	by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id BF06324272
	for <notifications@ofbiz.apache.org>; Tue, 26 Sep 2017 07:21:00 +0000 (UTC)
Date: Tue, 26 Sep 2017 07:21:00 +0000 (UTC)
From: "Jacques Le Roux (JIRA)" <jira@apache.org>
To: notifications@ofbiz.apache.org
Message-ID: <JIRA.12896562.1443255334000.201632.1506410460779@Atlassian.JIRA>
In-Reply-To: <JIRA.12896562.1443255334000@Atlassian.JIRA>
References: <JIRA.12896562.1443255334000@Atlassian.JIRA> <JIRA.12896562.1443255334121@jira-lw-us.apache.org>
Subject: [jira] [Commented] (OFBIZ-6655) Add session tracking mode and make
 cookie secure
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
archived-at: Tue, 26 Sep 2017 07:21:06 -0000


    [ https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16180373#comment-16180373 ] 

Jacques Le Roux commented on OFBIZ-6655:
----------------------------------------

Hi Deepak,

At r1722379 you reverted r1719762 (actually r1719939). You were right to do so for  RequesHandler but not for the other files. Because it now does not handle security for cookies which are not session cookies. It's minor but still a risk, notably for autoLoginCookie

At r1809687 I reapplied r1719762 for the other files to make other than session cookies secure. I will not backport. More to come soon...

> Add session tracking mode and make cookie secure
> ------------------------------------------------
>
>                 Key: OFBIZ-6655
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-6655
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: ALL COMPONENTS
>    Affects Versions: Trunk, 14.12.01
>            Reporter: Deepak Dixit
>            Assignee: Deepak Dixit
>             Fix For: 14.12.01, 15.12.01
>
>         Attachments: OFBIA-6655.applications.patch, OFBIZ-6655.framework_themes.patch, OFBIZ-6655_specialpurpose_leftover.patch, sessionConifg_ecommerce.patch
>
>
> Need to enhance security at web-app level. 
> As per current implementation:
> - The cookie containing the session identifier is not secure
> - The session identifier is transmitted in the query string of the URL
> To fix these issue we have to add following session config otpions in web.xml
> {code}
> <session-config>
> 	<cookie-config>
> 	    <http-only>true</http-only>
> 	    <secure>true</secure>
> 	</cookie-config>
> 	<tracking-mode>COOKIE</tracking-mode>
> </session-config>
> {code}
> Also we need to update the web-app servlet specification from 2.3 to 3.0
> {code}
> <web-app version="3.0"
>         xmlns="http://java.sun.com/xml/ns/javaee"
>         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>                             http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
> {code}
> https://tomcat.apache.org/whichversion.html



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)