Details

    • Type: Sub-task
    • Status: Closed
    • Priority: Major
    • Resolution: Implemented
    • Affects Version/s: Trunk, 14.12.01
    • Fix Version/s: 14.12.01, 15.12.01
    • Component/s: ALL COMPONENTS
    • Labels:
      None
    • Sprint:
      Bug Crush Event - 21/2/2015

      Description

      Need to enhance security at web-app level.
      As per current implementation:

      • The cookie containing the session identifier is not secure
      • The session identifier is transmitted in the query string of the URL

      To fix these issue we have to add following session config otpions in web.xml

      <session-config>
      	<cookie-config>
      	    <http-only>true</http-only>
      	    <secure>true</secure>
      	</cookie-config>
      	<tracking-mode>COOKIE</tracking-mode>
      </session-config>
      

      Also we need to update the web-app servlet specification from 2.3 to 3.0

      <web-app version="3.0"
              xmlns="http://java.sun.com/xml/ns/javaee"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
                                  http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
      

      https://tomcat.apache.org/whichversion.html

        Attachments

        1. sessionConifg_ecommerce.patch
          16 kB
          Rahul bhammarker
        2. OFBIZ-6655-programmatically-session-cookies-trunk.patch
          18 kB
          Jacques Le Roux
        3. OFBIZ-6655-programmatically-session-cookies-plugins.patch
          16 kB
          Jacques Le Roux
        4. OFBIZ-6655.framework_themes.patch
          23 kB
          Rahul bhammarker
        5. OFBIZ-6655_specialpurpose_leftover.patch
          20 kB
          Rahul bhammarker
        6. OFBIA-6655.applications.patch
          73 kB
          Rahul bhammarker

          Issue Links

            Activity

              People

              • Assignee:
                jacques.le.roux Jacques Le Roux
                Reporter:
                deepak.dixit Deepak Dixit
              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: