[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[ https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15105952#comment-15105952 ] Jacques Le Roux commented on OFBIZ-6655: Hi Deepak, You {quote} Reverted r1719762, as system fails to find the session cookie for ecommerce, will debug it in more detail but for now to fix this issue reverting r1719762 at r#1722379. {quote} Then you applied r1724940. Could you please explain in detail the issue you got with r1719762 that you did not get with r1724940? Was this not related to OFBIZ-6111 ? Or javascript not able to access the session cookie? Did you test using an OFBiz localhost instance? This questions because we will ultimately need to secure all OFBiz cookies, not only the session cookies. There are more considerations to take into account, notably that I have introduced _strict-transport-security_ with r1719660 (OFBIZ-6766). The point is you should set _true_ ONLY if you are only serving https content, for mixed content this setting in NOT recommended. But with the introduction of _strict-transport-security_ things are blurred. Anyway I will soon open a new Jira for that and other related points or maybe simply another post to the "Performance over security, is that reasonable?" thread. > Add session tracking mode and make cookie secure > > > Key: OFBIZ-6655 > URL: https://issues.apache.org/jira/browse/OFBIZ-6655 > Project: OFBiz > Issue Type: Sub-task > Components: ALL COMPONENTS >Affects Versions: Trunk, 14.12.01 >Reporter: Deepak Dixit >Assignee: Deepak Dixit > Fix For: 14.12.01, Upcoming Branch, Release Branch 15.12 > > Attachments: OFBIA-6655.applications.patch, > OFBIZ-6655.framework_themes.patch, OFBIZ-6655_specialpurpose_leftover.patch, > sessionConifg_ecommerce.patch > > > Need to enhance security at web-app level. > As per current implementation: > - The cookie containing the session identifier is not secure > - The session identifier is transmitted in the query string of the URL > To fix these issue we have to add following session config otpions in web.xml > {code} > > > true > true > > COOKIE > > {code} > Also we need to update the web-app servlet specification from 2.3 to 3.0 > {code} > xmlns="http://java.sun.com/xml/ns/javaee; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; > xsi:schemaLocation="http://java.sun.com/xml/ns/javaee > > http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;> > {code} > https://tomcat.apache.org/whichversion.html -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[ https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15103087#comment-15103087 ] Deepak Dixit commented on OFBIZ-6655: - IMO we can close this issue, Crated new ticket OFBIZ-6807 for LocationResolver related issue. > Add session tracking mode and make cookie secure > > > Key: OFBIZ-6655 > URL: https://issues.apache.org/jira/browse/OFBIZ-6655 > Project: OFBiz > Issue Type: Sub-task > Components: ALL COMPONENTS >Affects Versions: Trunk, 14.12.01 >Reporter: Deepak Dixit >Assignee: Deepak Dixit > Attachments: OFBIA-6655.applications.patch, > OFBIZ-6655.framework_themes.patch, OFBIZ-6655_specialpurpose_leftover.patch, > sessionConifg_ecommerce.patch > > > Need to enhance security at web-app level. > As per current implementation: > - The cookie containing the session identifier is not secure > - The session identifier is transmitted in the query string of the URL > To fix these issue we have to add following session config otpions in web.xml > {code} > > > true > true > > COOKIE > > {code} > Also we need to update the web-app servlet specification from 2.3 to 3.0 > {code} > xmlns="http://java.sun.com/xml/ns/javaee; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; > xsi:schemaLocation="http://java.sun.com/xml/ns/javaee > > http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;> > {code} > https://tomcat.apache.org/whichversion.html -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[ https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15103118#comment-15103118 ] Deepak Dixit commented on OFBIZ-6655: - Added missing session tracking and secure cookie for scrum and solr component. Also fixed the Invalid content was found starting with element 'description' for manufacturing component for manufacturing component. > Add session tracking mode and make cookie secure > > > Key: OFBIZ-6655 > URL: https://issues.apache.org/jira/browse/OFBIZ-6655 > Project: OFBiz > Issue Type: Sub-task > Components: ALL COMPONENTS >Affects Versions: Trunk, 14.12.01 >Reporter: Deepak Dixit >Assignee: Deepak Dixit > Fix For: 14.12.01, Upcoming Branch, Release Branch 15.12 > > Attachments: OFBIA-6655.applications.patch, > OFBIZ-6655.framework_themes.patch, OFBIZ-6655_specialpurpose_leftover.patch, > sessionConifg_ecommerce.patch > > > Need to enhance security at web-app level. > As per current implementation: > - The cookie containing the session identifier is not secure > - The session identifier is transmitted in the query string of the URL > To fix these issue we have to add following session config otpions in web.xml > {code} > > > true > true > > COOKIE > > {code} > Also we need to update the web-app servlet specification from 2.3 to 3.0 > {code} > xmlns="http://java.sun.com/xml/ns/javaee; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; > xsi:schemaLocation="http://java.sun.com/xml/ns/javaee > > http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;> > {code} > https://tomcat.apache.org/whichversion.html -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[ https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15103082#comment-15103082 ] Deepak Dixit commented on OFBIZ-6655: - Added session tracking mode and made cookie secure for remaining special purposes component at Trunk at r#1724940 15.12 at r#1724941 14/12 at r#1724942 > Add session tracking mode and make cookie secure > > > Key: OFBIZ-6655 > URL: https://issues.apache.org/jira/browse/OFBIZ-6655 > Project: OFBiz > Issue Type: Sub-task > Components: ALL COMPONENTS >Affects Versions: Trunk, 14.12.01 >Reporter: Deepak Dixit >Assignee: Deepak Dixit > Attachments: OFBIA-6655.applications.patch, > OFBIZ-6655.framework_themes.patch, OFBIZ-6655_specialpurpose_leftover.patch, > sessionConifg_ecommerce.patch > > > Need to enhance security at web-app level. > As per current implementation: > - The cookie containing the session identifier is not secure > - The session identifier is transmitted in the query string of the URL > To fix these issue we have to add following session config otpions in web.xml > {code} > > > true > true > > COOKIE > > {code} > Also we need to update the web-app servlet specification from 2.3 to 3.0 > {code} > xmlns="http://java.sun.com/xml/ns/javaee; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; > xsi:schemaLocation="http://java.sun.com/xml/ns/javaee > > http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;> > {code} > https://tomcat.apache.org/whichversion.html -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[ https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15103046#comment-15103046 ] Deepak Dixit commented on OFBIZ-6655: - Thanks Rahul, specialpurpose letfover patch has been committed at r#1724930 > Add session tracking mode and make cookie secure > > > Key: OFBIZ-6655 > URL: https://issues.apache.org/jira/browse/OFBIZ-6655 > Project: OFBiz > Issue Type: Sub-task > Components: ALL COMPONENTS >Affects Versions: Trunk, 14.12.01 >Reporter: Deepak Dixit >Assignee: Deepak Dixit > Attachments: OFBIA-6655.applications.patch, > OFBIZ-6655.framework_themes.patch, OFBIZ-6655_specialpurpose_leftover.patch, > sessionConifg_ecommerce.patch > > > Need to enhance security at web-app level. > As per current implementation: > - The cookie containing the session identifier is not secure > - The session identifier is transmitted in the query string of the URL > To fix these issue we have to add following session config otpions in web.xml > {code} > > > true > true > > COOKIE > > {code} > Also we need to update the web-app servlet specification from 2.3 to 3.0 > {code} > xmlns="http://java.sun.com/xml/ns/javaee; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; > xsi:schemaLocation="http://java.sun.com/xml/ns/javaee > > http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;> > {code} > https://tomcat.apache.org/whichversion.html -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[ https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15075201#comment-15075201 ] Deepak Dixit commented on OFBIZ-6655: - Reverted r1719762, as system fails to find the session cookie for ecommerce, will debug it in more detail but for now to fix this issue reverting r1719762 at r#1722379. > Add session tracking mode and make cookie secure > > > Key: OFBIZ-6655 > URL: https://issues.apache.org/jira/browse/OFBIZ-6655 > Project: OFBiz > Issue Type: Sub-task > Components: ALL COMPONENTS >Affects Versions: Trunk, 14.12.01 >Reporter: Deepak Dixit >Assignee: Deepak Dixit > Attachments: OFBIA-6655.applications.patch, > OFBIZ-6655.framework_themes.patch, OFBIZ-6655_specialpurpose_leftover.patch, > sessionConifg_ecommerce.patch > > > Need to enhance security at web-app level. > As per current implementation: > - The cookie containing the session identifier is not secure > - The session identifier is transmitted in the query string of the URL > To fix these issue we have to add following session config otpions in web.xml > {code} > > > true > true > > COOKIE > > {code} > Also we need to update the web-app servlet specification from 2.3 to 3.0 > {code} > xmlns="http://java.sun.com/xml/ns/javaee; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; > xsi:schemaLocation="http://java.sun.com/xml/ns/javaee > > http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;> > {code} > https://tomcat.apache.org/whichversion.html -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[ https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15059766#comment-15059766 ] Gareth Carter commented on OFBIZ-6655: -- FYI, most of the local DTD/schemas are found in servlet-api-3.0.jar. The LocalResolver in UtilXml will need to be changed or schema removed from all web.xml files. I believe tomcat OOTB uses this jar - see https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/util/SchemaResolver.html, however I have not looked into it with any depth > Add session tracking mode and make cookie secure > > > Key: OFBIZ-6655 > URL: https://issues.apache.org/jira/browse/OFBIZ-6655 > Project: OFBiz > Issue Type: Sub-task > Components: ALL COMPONENTS >Affects Versions: Trunk, 14.12.01 >Reporter: Deepak Dixit >Assignee: Deepak Dixit > Attachments: OFBIA-6655.applications.patch, > OFBIZ-6655.framework_themes.patch, sessionConifg_ecommerce.patch > > > Need to enhance security at web-app level. > As per current implementation: > - The cookie containing the session identifier is not secure > - The session identifier is transmitted in the query string of the URL > To fix these issue we have to add following session config otpions in web.xml > {code} > > > true > true > > COOKIE > > {code} > Also we need to update the web-app servlet specification from 2.3 to 3.0 > {code} > xmlns="http://java.sun.com/xml/ns/javaee; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; > xsi:schemaLocation="http://java.sun.com/xml/ns/javaee > > http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;> > {code} > https://tomcat.apache.org/whichversion.html -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[ https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15059767#comment-15059767 ] Gareth Carter commented on OFBIZ-6655: -- FYI, most of the local DTD/schemas are found in servlet-api-3.0.jar. The LocalResolver in UtilXml will need to be changed or schema removed from all web.xml files. I believe tomcat OOTB uses this jar - see https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/util/SchemaResolver.html, however I have not looked into it with any depth > Add session tracking mode and make cookie secure > > > Key: OFBIZ-6655 > URL: https://issues.apache.org/jira/browse/OFBIZ-6655 > Project: OFBiz > Issue Type: Sub-task > Components: ALL COMPONENTS >Affects Versions: Trunk, 14.12.01 >Reporter: Deepak Dixit >Assignee: Deepak Dixit > Attachments: OFBIA-6655.applications.patch, > OFBIZ-6655.framework_themes.patch, sessionConifg_ecommerce.patch > > > Need to enhance security at web-app level. > As per current implementation: > - The cookie containing the session identifier is not secure > - The session identifier is transmitted in the query string of the URL > To fix these issue we have to add following session config otpions in web.xml > {code} > > > true > true > > COOKIE > > {code} > Also we need to update the web-app servlet specification from 2.3 to 3.0 > {code} > xmlns="http://java.sun.com/xml/ns/javaee; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; > xsi:schemaLocation="http://java.sun.com/xml/ns/javaee > > http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;> > {code} > https://tomcat.apache.org/whichversion.html -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[ https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15055870#comment-15055870 ] Jacques Le Roux commented on OFBIZ-6655: Yes all concerned specialpurpose components indeed (not POS for instance) > Add session tracking mode and make cookie secure > > > Key: OFBIZ-6655 > URL: https://issues.apache.org/jira/browse/OFBIZ-6655 > Project: OFBiz > Issue Type: Sub-task > Components: ALL COMPONENTS >Affects Versions: Trunk, 14.12.01 >Reporter: Deepak Dixit >Assignee: Jacques Le Roux > Attachments: OFBIA-6655.applications.patch, > OFBIZ-6655.framework_themes.patch, sessionConifg_ecommerce.patch > > > Need to enhance security at web-app level. > As per current implementation: > - The cookie containing the session identifier is not secure > - The session identifier is transmitted in the query string of the URL > To fix these issue we have to add following session config otpions in web.xml > {code} > > > true > true > > COOKIE > > {code} > Also we need to update the web-app servlet specification from 2.3 to 3.0 > {code} > xmlns="http://java.sun.com/xml/ns/javaee; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; > xsi:schemaLocation="http://java.sun.com/xml/ns/javaee > > http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;> > {code} > https://tomcat.apache.org/whichversion.html -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[ https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15055743#comment-15055743 ] Jacques Le Roux commented on OFBIZ-6655: Committed in trunk r1719872 R14.12 r1719874 Too much conflicts in older releases. Still ecommerce webapps to fix... > Add session tracking mode and make cookie secure > > > Key: OFBIZ-6655 > URL: https://issues.apache.org/jira/browse/OFBIZ-6655 > Project: OFBiz > Issue Type: Sub-task > Components: ALL COMPONENTS >Affects Versions: Trunk, 14.12.01 >Reporter: Deepak Dixit >Assignee: Jacques Le Roux > Attachments: OFBIA-6655.applications.patch, > OFBIZ-6655.framework_themes.patch, sessionConifg_ecommerce.patch > > > Need to enhance security at web-app level. > As per current implementation: > - The cookie containing the session identifier is not secure > - The session identifier is transmitted in the query string of the URL > To fix these issue we have to add following session config otpions in web.xml > {code} > > > true > true > > COOKIE > > {code} > Also we need to update the web-app servlet specification from 2.3 to 3.0 > {code} > xmlns="http://java.sun.com/xml/ns/javaee; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; > xsi:schemaLocation="http://java.sun.com/xml/ns/javaee > > http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;> > {code} > https://tomcat.apache.org/whichversion.html -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[ https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15055693#comment-15055693 ] Jacques Le Roux commented on OFBIZ-6655: I reviewed the patches OFBIA-6655.applications.patch, there are 2 undesired parts: Index: applications/order/build.xml (wrong) Index: applications/order/widget/ordermgr/OrderMenus.xml (makes sens I'll apply later: conflict anyway) OFBIZ-6655.framework_themes.patch Index: applications/order/build.xml (wrong) Else applying them seems good and I confirm r1719762 at r1719764 are not needed. I will commit them > Add session tracking mode and make cookie secure > > > Key: OFBIZ-6655 > URL: https://issues.apache.org/jira/browse/OFBIZ-6655 > Project: OFBiz > Issue Type: Sub-task > Components: ALL COMPONENTS >Affects Versions: Trunk, 14.12.01 >Reporter: Deepak Dixit >Assignee: Jacques Le Roux > Attachments: OFBIA-6655.applications.patch, > OFBIZ-6655.framework_themes.patch, sessionConifg_ecommerce.patch > > > Need to enhance security at web-app level. > As per current implementation: > - The cookie containing the session identifier is not secure > - The session identifier is transmitted in the query string of the URL > To fix these issue we have to add following session config otpions in web.xml > {code} > > > true > true > > COOKIE > > {code} > Also we need to update the web-app servlet specification from 2.3 to 3.0 > {code} > xmlns="http://java.sun.com/xml/ns/javaee; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; > xsi:schemaLocation="http://java.sun.com/xml/ns/javaee > > http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;> > {code} > https://tomcat.apache.org/whichversion.html -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[ https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15055779#comment-15055779 ] Jacques Le Roux commented on OFBIZ-6655: >Index: applications/order/widget/ordermgr/OrderMenus.xml (makes sens I'll >apply later: conflict anyway) Already applied > Add session tracking mode and make cookie secure > > > Key: OFBIZ-6655 > URL: https://issues.apache.org/jira/browse/OFBIZ-6655 > Project: OFBiz > Issue Type: Sub-task > Components: ALL COMPONENTS >Affects Versions: Trunk, 14.12.01 >Reporter: Deepak Dixit >Assignee: Jacques Le Roux > Attachments: OFBIA-6655.applications.patch, > OFBIZ-6655.framework_themes.patch, sessionConifg_ecommerce.patch > > > Need to enhance security at web-app level. > As per current implementation: > - The cookie containing the session identifier is not secure > - The session identifier is transmitted in the query string of the URL > To fix these issue we have to add following session config otpions in web.xml > {code} > > > true > true > > COOKIE > > {code} > Also we need to update the web-app servlet specification from 2.3 to 3.0 > {code} > xmlns="http://java.sun.com/xml/ns/javaee; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; > xsi:schemaLocation="http://java.sun.com/xml/ns/javaee > > http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;> > {code} > https://tomcat.apache.org/whichversion.html -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[ https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15056104#comment-15056104 ] Jacques Le Roux commented on OFBIZ-6655: OK, I changed my mind. I will not apply the sessionConifg_ecommerce.patch because of the bug and I wonder about the other patches because they give a false sense of security. So I will reapply r1719762. This for 3 reasons: # Tomcat protects the cookies which it cares about (session and SSO cookies) but not all. Notably the OFBiz specific cookies, like visitorCookie. I guess also trackableCookie, billableCookie, siteIdCookie, updatedTimeStampCookie, guestShoppingListCookie, usernameCookieName and autoLoginCookie are not secured with The data in those cookies are less sensible than jsessionId but anyway it's safer to have them all secured. # I don't want to debug the ecommerce issue I reported above. And if I don't use the sessionConifg_ecommerce.patch but rather reapply r1719762 then it's OK (if I also locally revert r1686574 done for OFBIz-6111, still waiting on this one...) # I see no reasons why someone would not want her cookies secured, as recommended by OWASP and others Even if it"s belt and suspenders, we can still keep the others the patches. Notably because they also introduce the _COOKIE_ stuff. Once debugged we can commit the the sessionConifg_ecommerce.patch, anyway in the meantime it will be safe w/o it. > Add session tracking mode and make cookie secure > > > Key: OFBIZ-6655 > URL: https://issues.apache.org/jira/browse/OFBIZ-6655 > Project: OFBiz > Issue Type: Sub-task > Components: ALL COMPONENTS >Affects Versions: Trunk, 14.12.01 >Reporter: Deepak Dixit >Assignee: Jacques Le Roux > Attachments: OFBIA-6655.applications.patch, > OFBIZ-6655.framework_themes.patch, sessionConifg_ecommerce.patch > > > Need to enhance security at web-app level. > As per current implementation: > - The cookie containing the session identifier is not secure > - The session identifier is transmitted in the query string of the URL > To fix these issue we have to add following session config otpions in web.xml > {code} > > > true > true > > COOKIE > > {code} > Also we need to update the web-app servlet specification from 2.3 to 3.0 > {code} > xmlns="http://java.sun.com/xml/ns/javaee; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; > xsi:schemaLocation="http://java.sun.com/xml/ns/javaee > > http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;> > {code} > https://tomcat.apache.org/whichversion.html -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[ https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15056128#comment-15056128 ] Jacques Le Roux commented on OFBIZ-6655: I reapplied (committed) r1719762 at revision: 1719939 > Add session tracking mode and make cookie secure > > > Key: OFBIZ-6655 > URL: https://issues.apache.org/jira/browse/OFBIZ-6655 > Project: OFBiz > Issue Type: Sub-task > Components: ALL COMPONENTS >Affects Versions: Trunk, 14.12.01 >Reporter: Deepak Dixit >Assignee: Jacques Le Roux > Attachments: OFBIA-6655.applications.patch, > OFBIZ-6655.framework_themes.patch, sessionConifg_ecommerce.patch > > > Need to enhance security at web-app level. > As per current implementation: > - The cookie containing the session identifier is not secure > - The session identifier is transmitted in the query string of the URL > To fix these issue we have to add following session config otpions in web.xml > {code} > > > true > true > > COOKIE > > {code} > Also we need to update the web-app servlet specification from 2.3 to 3.0 > {code} > xmlns="http://java.sun.com/xml/ns/javaee; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; > xsi:schemaLocation="http://java.sun.com/xml/ns/javaee > > http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;> > {code} > https://tomcat.apache.org/whichversion.html -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[ https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15055977#comment-15055977 ] Jacques Le Roux commented on OFBIZ-6655: At least, the ecommerece issue is unrelated with OFBIZ-6111...WIP... > Add session tracking mode and make cookie secure > > > Key: OFBIZ-6655 > URL: https://issues.apache.org/jira/browse/OFBIZ-6655 > Project: OFBiz > Issue Type: Sub-task > Components: ALL COMPONENTS >Affects Versions: Trunk, 14.12.01 >Reporter: Deepak Dixit >Assignee: Jacques Le Roux > Attachments: OFBIA-6655.applications.patch, > OFBIZ-6655.framework_themes.patch, sessionConifg_ecommerce.patch > > > Need to enhance security at web-app level. > As per current implementation: > - The cookie containing the session identifier is not secure > - The session identifier is transmitted in the query string of the URL > To fix these issue we have to add following session config otpions in web.xml > {code} > > > true > true > > COOKIE > > {code} > Also we need to update the web-app servlet specification from 2.3 to 3.0 > {code} > xmlns="http://java.sun.com/xml/ns/javaee; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; > xsi:schemaLocation="http://java.sun.com/xml/ns/javaee > > http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;> > {code} > https://tomcat.apache.org/whichversion.html -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[ https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15055777#comment-15055777 ] Pierre Smits commented on OFBIZ-6655: - And cmssite, of course. > Add session tracking mode and make cookie secure > > > Key: OFBIZ-6655 > URL: https://issues.apache.org/jira/browse/OFBIZ-6655 > Project: OFBiz > Issue Type: Sub-task > Components: ALL COMPONENTS >Affects Versions: Trunk, 14.12.01 >Reporter: Deepak Dixit >Assignee: Jacques Le Roux > Attachments: OFBIA-6655.applications.patch, > OFBIZ-6655.framework_themes.patch, sessionConifg_ecommerce.patch > > > Need to enhance security at web-app level. > As per current implementation: > - The cookie containing the session identifier is not secure > - The session identifier is transmitted in the query string of the URL > To fix these issue we have to add following session config otpions in web.xml > {code} > > > true > true > > COOKIE > > {code} > Also we need to update the web-app servlet specification from 2.3 to 3.0 > {code} > xmlns="http://java.sun.com/xml/ns/javaee; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; > xsi:schemaLocation="http://java.sun.com/xml/ns/javaee > > http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;> > {code} > https://tomcat.apache.org/whichversion.html -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[ https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15056397#comment-15056397 ] Jacques Le Roux commented on OFBIZ-6655: BTW, I found this in log after r1719872 {code} [java] 2015-12-14 17:42:35,607 |catalina-startup-8 |UtilXml |W| [UtilXml.LocalResolver.resolveEntity] could not find LOCAL DTD/Schema with publicId [null] and the file/resource is [web-app_3_0.xsd] [java] 2015-12-14 17:42:35,620 |catalina-startup-5 |UtilXml |W| [UtilXml.LocalResolver.resolveEntity] could not find LOCAL DTD/Schema with publicId [null] and the file/resource is [web-app_3_0.xsd] [java] 2015-12-14 17:42:35,626 |catalina-startup-2 |UtilXml |W| [UtilXml.LocalResolver.resolveEntity] could not find LOCAL DTD/Schema with publicId [null] and the file/resource is [web-app_3_0.xsd] [java] 2015-12-14 17:42:35,627 |catalina-startup-4 |UtilXml |W| [UtilXml.LocalResolver.resolveEntity] could not find LOCAL DTD/Schema with publicId [null] and the file/resource is [web-app_3_0.xsd] [java] 2015-12-14 17:42:35,630 |catalina-startup-6 |UtilXml |W| [UtilXml.LocalResolver.resolveEntity] could not find LOCAL DTD/Schema with publicId [null] and the file/resource is [web-app_3_0.xsd] [java] 2015-12-14 17:42:35,634 |catalina-startup-1 |UtilXml |W| [UtilXml.LocalResolver.resolveEntity] could not find LOCAL DTD/Schema with publicId [null] and the file/resource is [web-app_3_0.xsd] [java] 2015-12-14 17:42:35,637 |catalina-startup-3 |UtilXml |W| [UtilXml.LocalResolver.resolveEntity] could not find LOCAL DTD/Schema with publicId [null] and the file/resource is [web-app_3_0.xsd] [java] 2015-12-14 17:42:35,638 |catalina-startup-7 |UtilXml |W| [UtilXml.LocalResolver.resolveEntity] could not find LOCAL DTD/Schema with publicId [null] and the file/resource is [web-app_3_0.xsd] [java] 2015-12-14 17:42:36,577 |catalina-startup-7 |UtilXml |W| [UtilXml.LocalResolver.resolveEntity] could not find LOCAL DTD/Schema with publicId [null] and the file/resource is [web-common_3_0.xsd] [java] 2015-12-14 17:42:36,588 |catalina-startup-5 |UtilXml |W| [UtilXml.LocalResolver.resolveEntity] could not find LOCAL DTD/Schema with publicId [null] and the file/resource is [web-common_3_0.xsd] [java] 2015-12-14 17:42:36,601 |catalina-startup-8 |UtilXml |W| [UtilXml.LocalResolver.resolveEntity] could not find LOCAL DTD/Schema with publicId [null] and the file/resource is [web-common_3_0.xsd] [java] 2015-12-14 17:42:36,615 |catalina-startup-1 |UtilXml |W| [UtilXml.LocalResolver.resolveEntity] could not find LOCAL DTD/Schema with publicId [null] and the file/resource is [web-common_3_0.xsd] [java] 2015-12-14 17:42:36,629 |catalina-startup-4 |UtilXml |W| [UtilXml.LocalResolver.resolveEntity] could not find LOCAL DTD/Schema with publicId [null] and the file/resource is [web-common_3_0.xsd] [java] 2015-12-14 17:42:36,643 |catalina-startup-2 |UtilXml |W| [UtilXml.LocalResolver.resolveEntity] could not find LOCAL DTD/Schema with publicId [null] and the file/resource is [web-common_3_0.xsd] [java] 2015-12-14 17:42:36,667 |catalina-startup-3 |UtilXml |W| [UtilXml.LocalResolver.resolveEntity] could not find LOCAL DTD/Schema with publicId [null] and the file/resource is [web-common_3_0.xsd] [java] 2015-12-14 17:42:36,899 |catalina-startup-5 |UtilXml |W| [UtilXml.LocalResolver.resolveEntity] could not find LOCAL DTD/Schema with publicId [null] and the file/resource is [javaee_6.xsd] [java] 2015-12-14 17:42:36,938 |catalina-startup-8 |UtilXml |W| [UtilXml.LocalResolver.resolveEntity] could not find LOCAL DTD/Schema with publicId [null] and the file/resource is [javaee_6.xsd] [java] 2015-12-14 17:42:36,975 |catalina-startup-1 |UtilXml |W| [UtilXml.LocalResolver.resolveEntity] could not find LOCAL DTD/Schema with publicId [null] and the file/resource is [javaee_6.xsd] [java] 2015-12-14 17:42:37,013 |catalina-startup-4 |UtilXml |W| [UtilXml.LocalResolver.resolveEntity] could not find LOCAL DTD/Schema with publicId [null] and the file/resource is [javaee_6.xsd] [java] 2015-12-14 17:42:37,050 |catalina-startup-2 |UtilXml |W| [UtilXml.LocalResolver.resolveEntity] could not find LOCAL DTD/Schema with publicId [null] and the file/resource is [javaee_6.xsd] [java] 2015-12-14 17:42:37,092 |catalina-startup-3 |UtilXml |W|
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[ https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15056400#comment-15056400 ] Jacques Le Roux commented on OFBIZ-6655: As said Pierre, we should not forget the specialpurpose components > Add session tracking mode and make cookie secure > > > Key: OFBIZ-6655 > URL: https://issues.apache.org/jira/browse/OFBIZ-6655 > Project: OFBiz > Issue Type: Sub-task > Components: ALL COMPONENTS >Affects Versions: Trunk, 14.12.01 >Reporter: Deepak Dixit >Assignee: Deepak Dixit > Attachments: OFBIA-6655.applications.patch, > OFBIZ-6655.framework_themes.patch, sessionConifg_ecommerce.patch > > > Need to enhance security at web-app level. > As per current implementation: > - The cookie containing the session identifier is not secure > - The session identifier is transmitted in the query string of the URL > To fix these issue we have to add following session config otpions in web.xml > {code} > > > true > true > > COOKIE > > {code} > Also we need to update the web-app servlet specification from 2.3 to 3.0 > {code} > xmlns="http://java.sun.com/xml/ns/javaee; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; > xsi:schemaLocation="http://java.sun.com/xml/ns/javaee > > http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;> > {code} > https://tomcat.apache.org/whichversion.html -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[ https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15055502#comment-15055502 ] Jacques Le Roux commented on OFBIZ-6655: Except proved otherwise I see no reasons to not apply the "OFBIZ-6655.framework_themes.patch" and "OFBIA-6655.applications.patch". I will though test we have not the same side effect than on ecommerce on order manager side...WIP... > Add session tracking mode and make cookie secure > > > Key: OFBIZ-6655 > URL: https://issues.apache.org/jira/browse/OFBIZ-6655 > Project: OFBiz > Issue Type: Sub-task > Components: ALL COMPONENTS >Affects Versions: Trunk, 14.12.01 >Reporter: Deepak Dixit >Assignee: Jacques Le Roux > Attachments: OFBIA-6655.applications.patch, > OFBIZ-6655.framework_themes.patch, sessionConifg_ecommerce.patch > > > Need to enhance security at web-app level. > As per current implementation: > - The cookie containing the session identifier is not secure > - The session identifier is transmitted in the query string of the URL > To fix these issue we have to add following session config otpions in web.xml > {code} > > > true > true > > COOKIE > > {code} > Also we need to update the web-app servlet specification from 2.3 to 3.0 > {code} > xmlns="http://java.sun.com/xml/ns/javaee; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; > xsi:schemaLocation="http://java.sun.com/xml/ns/javaee > > http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;> > {code} > https://tomcat.apache.org/whichversion.html -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[ https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15054797#comment-15054797 ] Jacques Le Roux commented on OFBIZ-6655: After reading https://tomcat.apache.org/migration-7.html#Session_cookie_configuration I see that http-only is now by defaut in Tomcat 7. Still my r1719762 might secure those who would want to use another app server. I will check if the issue we have in ecommerce is not related to JavaScript trying to use cookies... > Add session tracking mode and make cookie secure > > > Key: OFBIZ-6655 > URL: https://issues.apache.org/jira/browse/OFBIZ-6655 > Project: OFBiz > Issue Type: Sub-task > Components: ALL COMPONENTS >Affects Versions: Trunk, 14.12.01 >Reporter: Deepak Dixit >Assignee: Deepak Dixit > Attachments: OFBIA-6655.applications.patch, > OFBIZ-6655.framework_themes.patch, sessionConifg_ecommerce.patch > > > Need to enhance security at web-app level. > As per current implementation: > - The cookie containing the session identifier is not secure > - The session identifier is transmitted in the query string of the URL > To fix these issue we have to add following session config otpions in web.xml > {code} > > > true > true > > COOKIE > > {code} > Also we need to update the web-app servlet specification from 2.3 to 3.0 > {code} > xmlns="http://java.sun.com/xml/ns/javaee; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; > xsi:schemaLocation="http://java.sun.com/xml/ns/javaee > > http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;> > {code} > https://tomcat.apache.org/whichversion.html -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[ https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15054800#comment-15054800 ] Jacques Le Roux commented on OFBIZ-6655: Ha no indeed, this is not Tomcat 7 specific but Servlet 3.0 standard. So It's indeed a better way because it's configurable. I will revert my change, review the attached patches and hopefully apply them before trying to fix the ecommerce issue... > Add session tracking mode and make cookie secure > > > Key: OFBIZ-6655 > URL: https://issues.apache.org/jira/browse/OFBIZ-6655 > Project: OFBiz > Issue Type: Sub-task > Components: ALL COMPONENTS >Affects Versions: Trunk, 14.12.01 >Reporter: Deepak Dixit >Assignee: Deepak Dixit > Attachments: OFBIA-6655.applications.patch, > OFBIZ-6655.framework_themes.patch, sessionConifg_ecommerce.patch > > > Need to enhance security at web-app level. > As per current implementation: > - The cookie containing the session identifier is not secure > - The session identifier is transmitted in the query string of the URL > To fix these issue we have to add following session config otpions in web.xml > {code} > > > true > true > > COOKIE > > {code} > Also we need to update the web-app servlet specification from 2.3 to 3.0 > {code} > xmlns="http://java.sun.com/xml/ns/javaee; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; > xsi:schemaLocation="http://java.sun.com/xml/ns/javaee > > http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;> > {code} > https://tomcat.apache.org/whichversion.html -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[ https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15054795#comment-15054795 ] Jacques Le Roux commented on OFBIZ-6655: At r1719762 I have secured cookies where needed with setCookie (setSecure(true) and setHttpOnly(true)). It has the advantage of securing cookies the same way but not only in Tomcat7+. I though see no reason why not using {code} {config} true true COOKIE {config} {code} {code} true true {code} Can be seen as redundant but only OOTB. So better to set it indeed, same for tracking-mode. Those should be the only changes... At least in a 1st step. All other changes, if really necessary, should be done separately, even better in another Jira... OK I just checked, I need to do more work because the same issues than in my comment above arise. This time I will not revert, but will ASAP fix the reason we get issues when securing cookies :/ > Add session tracking mode and make cookie secure > > > Key: OFBIZ-6655 > URL: https://issues.apache.org/jira/browse/OFBIZ-6655 > Project: OFBiz > Issue Type: Sub-task > Components: ALL COMPONENTS >Affects Versions: Trunk, 14.12.01 >Reporter: Deepak Dixit >Assignee: Deepak Dixit > Attachments: OFBIA-6655.applications.patch, > OFBIZ-6655.framework_themes.patch, sessionConifg_ecommerce.patch > > > Need to enhance security at web-app level. > As per current implementation: > - The cookie containing the session identifier is not secure > - The session identifier is transmitted in the query string of the URL > To fix these issue we have to add following session config otpions in web.xml > {code} > > > true > true > > COOKIE > > {code} > Also we need to update the web-app servlet specification from 2.3 to 3.0 > {code} > xmlns="http://java.sun.com/xml/ns/javaee; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; > xsi:schemaLocation="http://java.sun.com/xml/ns/javaee > > http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;> > {code} > https://tomcat.apache.org/whichversion.html -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[ https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15054804#comment-15054804 ] Jacques Le Roux commented on OFBIZ-6655: I reverted r1719762 at r1719764, I wonder if the ecommerce issue is not related with OFBIZ-6111 > Add session tracking mode and make cookie secure > > > Key: OFBIZ-6655 > URL: https://issues.apache.org/jira/browse/OFBIZ-6655 > Project: OFBiz > Issue Type: Sub-task > Components: ALL COMPONENTS >Affects Versions: Trunk, 14.12.01 >Reporter: Deepak Dixit >Assignee: Jacques Le Roux > Attachments: OFBIA-6655.applications.patch, > OFBIZ-6655.framework_themes.patch, sessionConifg_ecommerce.patch > > > Need to enhance security at web-app level. > As per current implementation: > - The cookie containing the session identifier is not secure > - The session identifier is transmitted in the query string of the URL > To fix these issue we have to add following session config otpions in web.xml > {code} > > > true > true > > COOKIE > > {code} > Also we need to update the web-app servlet specification from 2.3 to 3.0 > {code} > xmlns="http://java.sun.com/xml/ns/javaee; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; > xsi:schemaLocation="http://java.sun.com/xml/ns/javaee > > http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;> > {code} > https://tomcat.apache.org/whichversion.html -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[ https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15023838#comment-15023838 ] Jacques Le Roux commented on OFBIZ-6655: I reverted r1715506 at revision: 1716036. The issues I crossed: Get to localhost:8080/ecommerce/control/main Add a product, instead of stating on the main page you get to the cart page despite having the "Always View Cart After Adding An Item. " not checked. Then eg: Scenario 1 Use the Recalculate option at top => You get "Your Shopping Cart Empty" Scenario 2 Use the Continue Shopping option at top => your cart is empty Scenario 3 Use the checkout link on top Login with DemoCustomer Use the Quick Checkout option Use the main link on top => your cart is empty > Add session tracking mode and make cookie secure > > > Key: OFBIZ-6655 > URL: https://issues.apache.org/jira/browse/OFBIZ-6655 > Project: OFBiz > Issue Type: Improvement > Components: ALL COMPONENTS >Affects Versions: Trunk, 14.12.01 >Reporter: Deepak Dixit >Assignee: Deepak Dixit > Attachments: OFBIA-6655.applications.patch, > OFBIZ-6655.framework_themes.patch, sessionConifg_ecommerce.patch > > > Need to enhance security at web-app level. > As per current implementation: > - The cookie containing the session identifier is not secure > - The session identifier is transmitted in the query string of the URL > To fix these issue we have to add following session config otpions in web.xml > {code} > > > true > true > > COOKIE > > {code} > Also we need to update the web-app servlet specification from 2.3 to 3.0 > {code} > xmlns="http://java.sun.com/xml/ns/javaee; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; > xsi:schemaLocation="http://java.sun.com/xml/ns/javaee > > http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;> > {code} > https://tomcat.apache.org/whichversion.html -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[ https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15020526#comment-15020526 ] Jacques Le Roux commented on OFBIZ-6655: OK, not a big deal, I guess/hope Eclipse will tell us to update it when needed > Add session tracking mode and make cookie secure > > > Key: OFBIZ-6655 > URL: https://issues.apache.org/jira/browse/OFBIZ-6655 > Project: OFBiz > Issue Type: Improvement > Components: ALL COMPONENTS >Affects Versions: Trunk, 14.12.01 >Reporter: Deepak Dixit >Assignee: Deepak Dixit > Attachments: OFBIA-6655.applications.patch, > OFBIZ-6655.framework_themes.patch, sessionConifg_ecommerce.patch > > > Need to enhance security at web-app level. > As per current implementation: > - The cookie containing the session identifier is not secure > - The session identifier is transmitted in the query string of the URL > To fix these issue we have to add following session config otpions in web.xml > {code} > > > true > true > > COOKIE > > {code} > Also we need to update the web-app servlet specification from 2.3 to 3.0 > {code} > xmlns="http://java.sun.com/xml/ns/javaee; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; > xsi:schemaLocation="http://java.sun.com/xml/ns/javaee > > http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;> > {code} > https://tomcat.apache.org/whichversion.html -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[ https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15020400#comment-15020400 ] Deepak Dixit commented on OFBIZ-6655: - Jacques, eclipse xml validation says version is require field for web-app element so we need to add version on it. > Add session tracking mode and make cookie secure > > > Key: OFBIZ-6655 > URL: https://issues.apache.org/jira/browse/OFBIZ-6655 > Project: OFBiz > Issue Type: Improvement > Components: ALL COMPONENTS >Affects Versions: Trunk, 14.12.01 >Reporter: Deepak Dixit >Assignee: Deepak Dixit > > Need to enhance security at web-app level. > As per current implementation: > - The cookie containing the session identifier is not secure > - The session identifier is transmitted in the query string of the URL > To fix these issue we have to add following session config otpions in web.xml > {code} > > > true > true > > COOKIE > > {code} > Also we need to update the web-app servlet specification from 2.3 to 3.0 > {code} > xmlns="http://java.sun.com/xml/ns/javaee; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; > xsi:schemaLocation="http://java.sun.com/xml/ns/javaee > > http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;> > {code} > https://tomcat.apache.org/whichversion.html -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[ https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15020397#comment-15020397 ] Deepak Dixit commented on OFBIZ-6655: - You are right Jacques, we don't need add the version="3.0", I'll commit the changes ASAP > Add session tracking mode and make cookie secure > > > Key: OFBIZ-6655 > URL: https://issues.apache.org/jira/browse/OFBIZ-6655 > Project: OFBiz > Issue Type: Improvement > Components: ALL COMPONENTS >Affects Versions: Trunk, 14.12.01 >Reporter: Deepak Dixit >Assignee: Deepak Dixit > > Need to enhance security at web-app level. > As per current implementation: > - The cookie containing the session identifier is not secure > - The session identifier is transmitted in the query string of the URL > To fix these issue we have to add following session config otpions in web.xml > {code} > > > true > true > > COOKIE > > {code} > Also we need to update the web-app servlet specification from 2.3 to 3.0 > {code} > xmlns="http://java.sun.com/xml/ns/javaee; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; > xsi:schemaLocation="http://java.sun.com/xml/ns/javaee > > http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;> > {code} > https://tomcat.apache.org/whichversion.html -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[ https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14942121#comment-14942121 ] Deepak Dixit commented on OFBIZ-6655: - Let me check. > Add session tracking mode and make cookie secure > > > Key: OFBIZ-6655 > URL: https://issues.apache.org/jira/browse/OFBIZ-6655 > Project: OFBiz > Issue Type: Improvement > Components: ALL COMPONENTS >Affects Versions: Trunk, 14.12.01 >Reporter: Deepak Dixit >Assignee: Deepak Dixit > > Need to enhance security at web-app level. > As per current implementation: > - The cookie containing the session identifier is not secure > - The session identifier is transmitted in the query string of the URL > To fix these issue we have to add following session config otpions in web.xml > {code} > > > true > true > > COOKIE > > {code} > Also we need to update the web-app servlet specification from 2.3 to 3.0 > {code} > xmlns="http://java.sun.com/xml/ns/javaee; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; > xsi:schemaLocation="http://java.sun.com/xml/ns/javaee > > http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;> > {code} > https://tomcat.apache.org/whichversion.html -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[ https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14909280#comment-14909280 ] Jacques Le Roux commented on OFBIZ-6655: Hi Deepak, I don't think we need to put {code} https://tomcat.apache.org/tomcat-7.0-doc/appdev/web.xml.txt and https://download.oracle.com/otn-pub/jcp/servlet-3.0-fr-oth-JSpec/servlet-3_0-final-spec.pdf chapter 14 The issue I foresee is if we don't when we will upgrade Tomcat we will not need to update, it it will be automatically done. On the other hand we could keep the rest (xmlns, etc.). Did I miss something? > Add session tracking mode and make cookie secure > > > Key: OFBIZ-6655 > URL: https://issues.apache.org/jira/browse/OFBIZ-6655 > Project: OFBiz > Issue Type: Improvement > Components: ALL COMPONENTS >Affects Versions: Trunk, 14.12.01 >Reporter: Deepak Dixit >Assignee: Deepak Dixit > > Need to enhance security at web-app level. > As per current implementation: > - The cookie containing the session identifier is not secure > - The session identifier is transmitted in the query string of the URL > To fix these issue we have to add following session config otpions in web.xml > {code} > > > true > true > > COOKIE > > {code} > Also we need to update the web-app servlet specification from 2.3 to 3.0 > {code} > xmlns="http://java.sun.com/xml/ns/javaee; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; > xsi:schemaLocation="http://java.sun.com/xml/ns/javaee > > http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;> > {code} > https://tomcat.apache.org/whichversion.html -- This message was sent by Atlassian JIRA (v6.3.4#6332)