That's quite a good news, thanks Deepak and Pierre! Jacques
Le 24/09/2015 11:44, Pierre Smits a écrit :
Servlet spec 3.0 is implemented in Tomcat versions 7.x. In trunk (and release branch 14.x) we use Tomcat 7.0.64. So this can be applied in future release branches as well as in r14.x Best regards, Pierre Smits *OFBiz Extensions Marketplace* http://oem.ofbizci.net On Thu, Sep 24, 2015 at 11:27 AM, Deepak Dixit < deepak.di...@hotwaxsystems.com> wrote:Hi Dev, I would like to propose some security enhancement at web-app level. IMO we have to enhance sessionId and cookie tracking. As per current implementation: - The cookie containing the session identifier is not secure - The session identifier is transmitted in the query string of the URL We can add following configuration in web.xml to fix the above issue: <session-config> <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> <tracking-mode>COOKIE</tracking-mode> </session-config> To use cookie-config and tracking-mode we need to update the servlet specification to 3.0 https://tomcat.apache.org/whichversion.html Thanks & Regards — Deepak Dixit
