Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id B3B13200D0E for ; Tue, 26 Sep 2017 10:42:06 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id B202C1609C1; Tue, 26 Sep 2017 08:42:06 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id F3FBA1609B4 for ; Tue, 26 Sep 2017 10:42:05 +0200 (CEST) Received: (qmail 84516 invoked by uid 500); 26 Sep 2017 08:42:05 -0000 Mailing-List: contact notifications-help@ofbiz.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ofbiz.apache.org Delivered-To: mailing list notifications@ofbiz.apache.org Received: (qmail 84507 invoked by uid 99); 26 Sep 2017 08:42:05 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 26 Sep 2017 08:42:05 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 896D3C5D4B for ; Tue, 26 Sep 2017 08:42:04 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -100.001 X-Spam-Level: X-Spam-Status: No, score=-100.001 tagged_above=-999 required=6.31 tests=[KAM_SHORT=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id CsbMPYT87ZsN for ; Tue, 26 Sep 2017 08:42:03 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id 7103F61056 for ; Tue, 26 Sep 2017 08:42:02 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id AB758E0F1C for ; Tue, 26 Sep 2017 08:42:01 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 16B4024276 for ; Tue, 26 Sep 2017 08:42:01 +0000 (UTC) Date: Tue, 26 Sep 2017 08:42:01 +0000 (UTC) From: "Jacques Le Roux (JIRA)" To: notifications@ofbiz.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (OFBIZ-6655) Add session tracking mode and make cookie secure MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Tue, 26 Sep 2017 08:42:06 -0000 [ https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux updated OFBIZ-6655: ----------------------------------- Attachment: OFBIZ-6655-programmatically-session-cookies-plugins.patch OFBIZ-6655-programmatically-session-cookies-trunk.patch I have attached 2 patches (trunk and plugin) to programmatically replaces the web.xml declarations and uses the @WebListener annotation to start the process. This avoid to duplicates things everywhere in web.xml files. Since the web.xml files have precedence on annotations, the setting can be easily overriden when necessary. Now that we also use HTTPS in ecommerce the ecommerce session cookie is also secured. ---- I also noted that we have 8 weird declarations: * in solr component: 2 * in themes: 1 Does somebody know why? Also in Rainbowstone we lack the and declarations. I think it's not good. We can easily resolve these points by simply removing the in web.xml files of themes and Solr. Without answers that's what I'll do. > Add session tracking mode and make cookie secure > ------------------------------------------------ > > Key: OFBIZ-6655 > URL: https://issues.apache.org/jira/browse/OFBIZ-6655 > Project: OFBiz > Issue Type: Sub-task > Components: ALL COMPONENTS > Affects Versions: Trunk, 14.12.01 > Reporter: Deepak Dixit > Assignee: Deepak Dixit > Fix For: 14.12.01, 15.12.01 > > Attachments: OFBIA-6655.applications.patch, OFBIZ-6655.framework_themes.patch, OFBIZ-6655-programmatically-session-cookies-plugins.patch, OFBIZ-6655-programmatically-session-cookies-trunk.patch, OFBIZ-6655_specialpurpose_leftover.patch, sessionConifg_ecommerce.patch > > > Need to enhance security at web-app level. > As per current implementation: > - The cookie containing the session identifier is not secure > - The session identifier is transmitted in the query string of the URL > To fix these issue we have to add following session config otpions in web.xml > {code} > > > true > true > > COOKIE > > {code} > Also we need to update the web-app servlet specification from 2.3 to 3.0 > {code} > xmlns="http://java.sun.com/xml/ns/javaee" > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > xsi:schemaLocation="http://java.sun.com/xml/ns/javaee > http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"> > {code} > https://tomcat.apache.org/whichversion.html -- This message was sent by Atlassian JIRA (v6.4.14#64029)