Details
-
Sub-task
-
Status: Closed
-
Major
-
Resolution: Fixed
-
14.12.01, Trunk
-
None
-
Bug Crush Event - 21/2/2015
Description
Need to enhance security at web-app level.
As per current implementation:
- The cookie containing the session identifier is not secure
- The session identifier is transmitted in the query string of the URL
To fix these issue we have to add following session config otpions in web.xml
<session-config> <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> <tracking-mode>COOKIE</tracking-mode> </session-config>
Also we need to update the web-app servlet specification from 2.3 to 3.0
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
Attachments
Attachments
Issue Links
- is part of
-
OFBIZ-6766 Secure HTTP headers
- Closed
- is related to
-
OFBIZ-6993 Cannot find the declaration of element 'web-app' in version 3.0 files.
- Closed
-
OFBIZ-6807 UtilXml.LocalResolver.resolveEntity] could not find LOCAL DTD/Schema with publicId [null] and the file/resource is [web-app_3_0.xsd]
- Closed
- mentioned in
-
Page Loading...