[ https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Deepak Dixit updated OFBIZ-6655: -------------------------------- Summary: Add session tracking mode and make cookie secure (was: Add sesstion tracking mode and make cookie secure) > Add session tracking mode and make cookie secure > ------------------------------------------------ > > Key: OFBIZ-6655 > URL: https://issues.apache.org/jira/browse/OFBIZ-6655 > Project: OFBiz > Issue Type: Improvement > Components: ALL COMPONENTS > Affects Versions: Trunk, 14.12.01 > Reporter: Deepak Dixit > Assignee: Deepak Dixit > > Need to enhance security at web-app level. > As per current implementation: > - The cookie containing the session identifier is not secure > - The session identifier is transmitted in the query string of the URL > To fix these issue we have to add following session config otpions in web.xml > {code} > <session-config> > <cookie-config> > <http-only>true</http-only> > <secure>true</secure> > </cookie-config> > <tracking-mode>COOKIE</tracking-mode> > </session-config> > {code} > Also we need to update the web-app servlet specification from 2.3 to 3.0 > {code} > <web-app version="3.0" > xmlns="http://java.sun.com/xml/ns/javaee" > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > xsi:schemaLocation="http://java.sun.com/xml/ns/javaee > > http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"> > {code} > https://tomcat.apache.org/whichversion.html -- This message was sent by Atlassian JIRA (v6.3.4#6332)