[ 
https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15054795#comment-15054795
 ] 

Jacques Le Roux commented on OFBIZ-6655:
----------------------------------------

At  r1719762 I have secured cookies where needed with setCookie 
(setSecure(true) and setHttpOnly(true)). It has the advantage of securing 
cookies the same way but not only in Tomcat7+.

I though see no reason why not using 
{code}
{config}
<session-config>
        <cookie-config>
            <http-only>true</http-only>
            <secure>true</secure>
        </cookie-config>
        <tracking-mode>COOKIE</tracking-mode>
</session-config>
{config}
{code}

{code}
            <http-only>true</http-only>
            <secure>true</secure>
{code}
Can be seen as redundant but only OOTB. So better to set it indeed, same for 
tracking-mode. Those should be the only changes... At least in a 1st step. All 
other changes, if really necessary, should be done separately, even better in 
another Jira...

OK I just checked, I need to do more work because the same issues than in my 
comment above arise. This time I will not revert, but will ASAP fix the reason 
we get issues when securing cookies :/

> Add session tracking mode and make cookie secure
> ------------------------------------------------
>
>                 Key: OFBIZ-6655
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-6655
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: ALL COMPONENTS
>    Affects Versions: Trunk, 14.12.01
>            Reporter: Deepak Dixit
>            Assignee: Deepak Dixit
>         Attachments: OFBIA-6655.applications.patch, 
> OFBIZ-6655.framework_themes.patch, sessionConifg_ecommerce.patch
>
>
> Need to enhance security at web-app level. 
> As per current implementation:
> - The cookie containing the session identifier is not secure
> - The session identifier is transmitted in the query string of the URL
> To fix these issue we have to add following session config otpions in web.xml
> {code}
> <session-config>
>       <cookie-config>
>           <http-only>true</http-only>
>           <secure>true</secure>
>       </cookie-config>
>       <tracking-mode>COOKIE</tracking-mode>
> </session-config>
> {code}
> Also we need to update the web-app servlet specification from 2.3 to 3.0
> {code}
> <web-app version="3.0"
>         xmlns="http://java.sun.com/xml/ns/javaee";
>         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
>         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>                             
> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd";>
> {code}
> https://tomcat.apache.org/whichversion.html



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to