[jira] [Comment Edited] (OFBIZ-6655) Add session tracking mode and make cookie secure

Sat, 16 Jan 2016 03:18:50 -0800 

    [ 
https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15103118#comment-15103118
 ] 

Deepak Dixit edited comment on OFBIZ-6655 at 1/16/16 11:18 AM:
---------------------------------------------------------------

Added missing session tracking and secure cookie for scrum and solr component.
Also fixed the Invalid content was found starting with element 'description' 
for manufacturing component for manufacturing component.

This has been committed at 
Trunk at r#1724957
15.12 at r#1724958
14.12 at r#1724959


was (Author: deepak.dixit):
Added missing session tracking and secure cookie for scrum and solr component.
Also fixed the Invalid content was found starting with element 'description' 
for manufacturing component for manufacturing component.

> Add session tracking mode and make cookie secure
> ------------------------------------------------
>
>                 Key: OFBIZ-6655
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-6655
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: ALL COMPONENTS
>    Affects Versions: Trunk, 14.12.01
>            Reporter: Deepak Dixit
>            Assignee: Deepak Dixit
>             Fix For: 14.12.01, Upcoming Branch, Release Branch 15.12
>
>         Attachments: OFBIA-6655.applications.patch, 
> OFBIZ-6655.framework_themes.patch, OFBIZ-6655_specialpurpose_leftover.patch, 
> sessionConifg_ecommerce.patch
>
>
> Need to enhance security at web-app level. 
> As per current implementation:
> - The cookie containing the session identifier is not secure
> - The session identifier is transmitted in the query string of the URL
> To fix these issue we have to add following session config otpions in web.xml
> {code}
> <session-config>
>       <cookie-config>
>           <http-only>true</http-only>
>           <secure>true</secure>
>       </cookie-config>
>       <tracking-mode>COOKIE</tracking-mode>
> </session-config>
> {code}
> Also we need to update the web-app servlet specification from 2.3 to 3.0
> {code}
> <web-app version="3.0"
>         xmlns="http://java.sun.com/xml/ns/javaee";
>         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
>         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>                             
> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd";>
> {code}
> https://tomcat.apache.org/whichversion.html



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to