[
https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15056104#comment-15056104
]
Jacques Le Roux edited comment on OFBIZ-6655 at 12/14/15 3:49 PM:
------------------------------------------------------------------
OK, I changed my mind. I will not apply the sessionConifg_ecommerce.patch
because of the bug and I wonder about the other patches because they give a
false sense of security. So I will reapply r1719762.
This for 3 reasons:
# Tomcat protects the cookies which it cares about (session and SSO cookies)
but not all. Notably the OFBiz specific cookies, like visitorCookie. I guess
also trackableCookie, billableCookie, siteIdCookie, updatedTimeStampCookie,
guestShoppingListCookie, usernameCookieName and autoLoginCookie are not
secured. The data in those cookies are less sensible than jsessionId but anyway
it's safer to have them all secured.
# I don't want to debug the ecommerce issue I reported above. And if I don't
use the sessionConifg_ecommerce.patch but rather reapply r1719762 then it's OK
(if I also locally revert r1686574 done for OFBIz-6111, still waiting on this
one...)
# I see no reasons why someone would not want her cookies secured, as
recommended by OWASP and others
Even if it"s belt and suspenders, we can still keep the others the patches.
Notably because they also introduce the _<tracking-mode>COOKIE</tracking-mode>_
stuff.
Once debugged we can commit the the sessionConifg_ecommerce.patch, anyway in
the meantime it will be safe w/o it.
was (Author: jacques.le.roux):
OK, I changed my mind. I will not apply the sessionConifg_ecommerce.patch
because of the bug and I wonder about the other patches because they give a
false sense of security. So I will reapply r1719762.
This for 3 reasons:
# Tomcat protects the cookies which it cares about (session and SSO cookies)
but not all. Notably the OFBiz specific cookies, like visitorCookie. I guess
also trackableCookie, billableCookie, siteIdCookie, updatedTimeStampCookie,
guestShoppingListCookie, usernameCookieName and autoLoginCookie are not secured
with The data in those cookies are less sensible than jsessionId but anyway
it's safer to have them all secured.
# I don't want to debug the ecommerce issue I reported above. And if I don't
use the sessionConifg_ecommerce.patch but rather reapply r1719762 then it's OK
(if I also locally revert r1686574 done for OFBIz-6111, still waiting on this
one...)
# I see no reasons why someone would not want her cookies secured, as
recommended by OWASP and others
Even if it"s belt and suspenders, we can still keep the others the patches.
Notably because they also introduce the _<tracking-mode>COOKIE</tracking-mode>_
stuff.
Once debugged we can commit the the sessionConifg_ecommerce.patch, anyway in
the meantime it will be safe w/o it.
> Add session tracking mode and make cookie secure
> ------------------------------------------------
>
> Key: OFBIZ-6655
> URL: https://issues.apache.org/jira/browse/OFBIZ-6655
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
> Affects Versions: Trunk, 14.12.01
> Reporter: Deepak Dixit
> Assignee: Deepak Dixit
> Attachments: OFBIA-6655.applications.patch,
> OFBIZ-6655.framework_themes.patch, sessionConifg_ecommerce.patch
>
>
> Need to enhance security at web-app level.
> As per current implementation:
> - The cookie containing the session identifier is not secure
> - The session identifier is transmitted in the query string of the URL
> To fix these issue we have to add following session config otpions in web.xml
> {code}
> <session-config>
> <cookie-config>
> <http-only>true</http-only>
> <secure>true</secure>
> </cookie-config>
> <tracking-mode>COOKIE</tracking-mode>
> </session-config>
> {code}
> Also we need to update the web-app servlet specification from 2.3 to 3.0
> {code}
> <web-app version="3.0"
> xmlns="http://java.sun.com/xml/ns/javaee";
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>
> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd";>
> {code}
> https://tomcat.apache.org/whichversion.html
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
