Details

    • Type: Sub-task
    • Status: Closed
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: Trunk
    • Fix Version/s: 16.11.01
    • Component/s: framework
    • Labels:
      None
    • Sprint:
      Bug Crush Event - 21/2/2015

      Description

      This follows this Scott's comment in OFBIZ-6111.

      I totally agree and will also create an issue to remove forceHttpSession. We should always use HTTPS as explained at OFBIZ-6849

      I will also create an issue to get rid of the session-cookie-accepted feature. When the present issue will be done, it will no longer be used OOTB and anyway should not be needed

      We should always use sessionIds in cookies and newer have sessionsIds in URLs. So I will create another issue to remove all sessionsIds in URLs. There are 2 cases:

      1. the part related to spiders in RequestHandler
      2. HtmlFormRenderer.appendExternalLoginKey() (there is also an appendExternalLoginKey mtehod in MacroFormRenderer class but it's not used OOTB)

      There are also many cases where we show the sessionId in logs (using UtilHttp.getSessionId()) I wonder if we should not keep those commented out or change the debug info level. Also HttpSessionEvent.getSession().getId() is directly used in some places for the same purpose (log)

      These are more improvement sub-tasks but we will decide later if we want to backport them because it's security issues but could have an impact on custom projects based on releases.

        Issue Links

          Activity

          Hide
          jacques.le.roux Jacques Le Roux added a comment -

          Done at r1727987

          Show
          jacques.le.roux Jacques Le Roux added a comment - Done at r1727987
          Hide
          jacques.le.roux Jacques Le Roux added a comment -

          Completed at r1728660 (no functional change, just get rid of the "cookies" now unused variable)

          Show
          jacques.le.roux Jacques Le Roux added a comment - Completed at r1728660 (no functional change, just get rid of the "cookies" now unused variable)

            People

            • Assignee:
              jacques.le.roux Jacques Le Roux
              Reporter:
              jacques.le.roux Jacques Le Roux
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development

                  Agile