Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-1525 Issue to group security concerns
  3. OFBIZ-6655

Add session tracking mode and make cookie secure

Attach filesAttach ScreenshotVotersWatch issueWatchersLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug Crush Event - 21/2/2015

    Description

      Need to enhance security at web-app level.
      As per current implementation:

      • The cookie containing the session identifier is not secure
      • The session identifier is transmitted in the query string of the URL

      To fix these issue we have to add following session config otpions in web.xml

      <session-config>
	<cookie-config>
	    <http-only>true</http-only>
	    <secure>true</secure>
	</cookie-config>
	<tracking-mode>COOKIE</tracking-mode>
</session-config>

      Also we need to update the web-app servlet specification from 2.3 to 3.0

      <web-app version="3.0"
        xmlns="http://java.sun.com/xml/ns/javaee"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
                            http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">

      https://tomcat.apache.org/whichversion.html

      Attachments

        1. OFBiz-6655.patch
          1 kB
          Deepak Nigam
        2. OFBIZ-6655-programmatically-session-cookies-trunk.patch
          18 kB
          Jacques Le Roux
        3. OFBIZ-6655-programmatically-session-cookies-plugins.patch
          16 kB
          Jacques Le Roux
        4. OFBIZ-6655_specialpurpose_leftover.patch
          20 kB
          Rahul bhammarker
        5. OFBIZ-6655.framework_themes.patch
          23 kB
          Rahul bhammarker
        6. OFBIA-6655.applications.patch
          73 kB
          Rahul bhammarker
        7. sessionConifg_ecommerce.patch
          16 kB
          Rahul bhammarker

        Issue Links

        is part of

        Sub-task - The sub-task of the issue OFBIZ-6766 Secure HTTP headers

        • Major - Major loss of function.
        • Closed
        is related to

        Bug - A problem which impairs or prevents the functions of the product. OFBIZ-6993 Cannot find the declaration of element 'web-app' in version 3.0 files.

        • Major - Major loss of function.
        • Closed

        Bug - A problem which impairs or prevents the functions of the product. OFBIZ-6807 UtilXml.LocalResolver.resolveEntity] could not find LOCAL DTD/Schema with publicId [null] and the file/resource is [web-app_3_0.xsd]

        • Trivial - Cosmetic problem like misspelt words or misaligned text.
        • Closed
        mentioned in

        Page Loading...

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            jleroux Jacques Le Roux
            deepak Deepak Dixit
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Agile

                Completed Sprint:
                Bug Crush Event - 21/2/2015 ended 26/Feb/15
                View on Board

                Slack

                  Issue deployment