[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[
https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15105952#comment-15105952
]
Jacques Le Roux commented on OFBIZ-6655:
Hi Deepak,
You
{quote}
Reverted r1719762, as system fails to find the session cookie for ecommerce,
will debug it in more detail but for now to fix this issue reverting r1719762
at r#1722379.
{quote}
Then you applied r1724940. Could you please explain in detail the issue you got
with r1719762 that you did not get with r1724940? Was this not related to
OFBIZ-6111 ? Or javascript not able to access the session cookie? Did you test
using an OFBiz localhost instance? This questions because we will ultimately
need to secure all OFBiz cookies, not only the session cookies.
There are more considerations to take into account, notably that I have
introduced _strict-transport-security_ with r1719660 (OFBIZ-6766).
The point is you should set _true_ ONLY if you are only
serving https content, for mixed content this setting in NOT recommended. But
with the introduction of _strict-transport-security_ things are blurred.
Anyway I will soon open a new Jira for that and other related points or maybe
simply another post to the "Performance over security, is that reasonable?"
thread.
> Add session tracking mode and make cookie secure
>
>
> Key: OFBIZ-6655
> URL: https://issues.apache.org/jira/browse/OFBIZ-6655
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
>Affects Versions: Trunk, 14.12.01
>Reporter: Deepak Dixit
>Assignee: Deepak Dixit
> Fix For: 14.12.01, Upcoming Branch, Release Branch 15.12
>
> Attachments: OFBIA-6655.applications.patch,
> OFBIZ-6655.framework_themes.patch, OFBIZ-6655_specialpurpose_leftover.patch,
> sessionConifg_ecommerce.patch
>
>
> Need to enhance security at web-app level.
> As per current implementation:
> - The cookie containing the session identifier is not secure
> - The session identifier is transmitted in the query string of the URL
> To fix these issue we have to add following session config otpions in web.xml
> {code}
>
>
> true
> true
>
> COOKIE
>
> {code}
> Also we need to update the web-app servlet specification from 2.3 to 3.0
> {code}
> xmlns="http://java.sun.com/xml/ns/javaee;
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>
> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;>
> {code}
> https://tomcat.apache.org/whichversion.html
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[
https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15103087#comment-15103087
]
Deepak Dixit commented on OFBIZ-6655:
-
IMO we can close this issue, Crated new ticket OFBIZ-6807 for LocationResolver
related issue.
> Add session tracking mode and make cookie secure
>
>
> Key: OFBIZ-6655
> URL: https://issues.apache.org/jira/browse/OFBIZ-6655
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
>Affects Versions: Trunk, 14.12.01
>Reporter: Deepak Dixit
>Assignee: Deepak Dixit
> Attachments: OFBIA-6655.applications.patch,
> OFBIZ-6655.framework_themes.patch, OFBIZ-6655_specialpurpose_leftover.patch,
> sessionConifg_ecommerce.patch
>
>
> Need to enhance security at web-app level.
> As per current implementation:
> - The cookie containing the session identifier is not secure
> - The session identifier is transmitted in the query string of the URL
> To fix these issue we have to add following session config otpions in web.xml
> {code}
>
>
> true
> true
>
> COOKIE
>
> {code}
> Also we need to update the web-app servlet specification from 2.3 to 3.0
> {code}
> xmlns="http://java.sun.com/xml/ns/javaee;
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>
> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;>
> {code}
> https://tomcat.apache.org/whichversion.html
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[
https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15103118#comment-15103118
]
Deepak Dixit commented on OFBIZ-6655:
-
Added missing session tracking and secure cookie for scrum and solr component.
Also fixed the Invalid content was found starting with element 'description'
for manufacturing component for manufacturing component.
> Add session tracking mode and make cookie secure
>
>
> Key: OFBIZ-6655
> URL: https://issues.apache.org/jira/browse/OFBIZ-6655
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
>Affects Versions: Trunk, 14.12.01
>Reporter: Deepak Dixit
>Assignee: Deepak Dixit
> Fix For: 14.12.01, Upcoming Branch, Release Branch 15.12
>
> Attachments: OFBIA-6655.applications.patch,
> OFBIZ-6655.framework_themes.patch, OFBIZ-6655_specialpurpose_leftover.patch,
> sessionConifg_ecommerce.patch
>
>
> Need to enhance security at web-app level.
> As per current implementation:
> - The cookie containing the session identifier is not secure
> - The session identifier is transmitted in the query string of the URL
> To fix these issue we have to add following session config otpions in web.xml
> {code}
>
>
> true
> true
>
> COOKIE
>
> {code}
> Also we need to update the web-app servlet specification from 2.3 to 3.0
> {code}
> xmlns="http://java.sun.com/xml/ns/javaee;
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>
> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;>
> {code}
> https://tomcat.apache.org/whichversion.html
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[
https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15103082#comment-15103082
]
Deepak Dixit commented on OFBIZ-6655:
-
Added session tracking mode and made cookie secure for remaining special
purposes component at
Trunk at r#1724940
15.12 at r#1724941
14/12 at r#1724942
> Add session tracking mode and make cookie secure
>
>
> Key: OFBIZ-6655
> URL: https://issues.apache.org/jira/browse/OFBIZ-6655
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
>Affects Versions: Trunk, 14.12.01
>Reporter: Deepak Dixit
>Assignee: Deepak Dixit
> Attachments: OFBIA-6655.applications.patch,
> OFBIZ-6655.framework_themes.patch, OFBIZ-6655_specialpurpose_leftover.patch,
> sessionConifg_ecommerce.patch
>
>
> Need to enhance security at web-app level.
> As per current implementation:
> - The cookie containing the session identifier is not secure
> - The session identifier is transmitted in the query string of the URL
> To fix these issue we have to add following session config otpions in web.xml
> {code}
>
>
> true
> true
>
> COOKIE
>
> {code}
> Also we need to update the web-app servlet specification from 2.3 to 3.0
> {code}
> xmlns="http://java.sun.com/xml/ns/javaee;
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>
> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;>
> {code}
> https://tomcat.apache.org/whichversion.html
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[
https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15103046#comment-15103046
]
Deepak Dixit commented on OFBIZ-6655:
-
Thanks Rahul, specialpurpose letfover patch has been committed at r#1724930
> Add session tracking mode and make cookie secure
>
>
> Key: OFBIZ-6655
> URL: https://issues.apache.org/jira/browse/OFBIZ-6655
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
>Affects Versions: Trunk, 14.12.01
>Reporter: Deepak Dixit
>Assignee: Deepak Dixit
> Attachments: OFBIA-6655.applications.patch,
> OFBIZ-6655.framework_themes.patch, OFBIZ-6655_specialpurpose_leftover.patch,
> sessionConifg_ecommerce.patch
>
>
> Need to enhance security at web-app level.
> As per current implementation:
> - The cookie containing the session identifier is not secure
> - The session identifier is transmitted in the query string of the URL
> To fix these issue we have to add following session config otpions in web.xml
> {code}
>
>
> true
> true
>
> COOKIE
>
> {code}
> Also we need to update the web-app servlet specification from 2.3 to 3.0
> {code}
> xmlns="http://java.sun.com/xml/ns/javaee;
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>
> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;>
> {code}
> https://tomcat.apache.org/whichversion.html
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[
https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15075201#comment-15075201
]
Deepak Dixit commented on OFBIZ-6655:
-
Reverted r1719762, as system fails to find the session cookie for ecommerce,
will debug it in more detail but for now to fix this issue reverting r1719762
at r#1722379.
> Add session tracking mode and make cookie secure
>
>
> Key: OFBIZ-6655
> URL: https://issues.apache.org/jira/browse/OFBIZ-6655
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
>Affects Versions: Trunk, 14.12.01
>Reporter: Deepak Dixit
>Assignee: Deepak Dixit
> Attachments: OFBIA-6655.applications.patch,
> OFBIZ-6655.framework_themes.patch, OFBIZ-6655_specialpurpose_leftover.patch,
> sessionConifg_ecommerce.patch
>
>
> Need to enhance security at web-app level.
> As per current implementation:
> - The cookie containing the session identifier is not secure
> - The session identifier is transmitted in the query string of the URL
> To fix these issue we have to add following session config otpions in web.xml
> {code}
>
>
> true
> true
>
> COOKIE
>
> {code}
> Also we need to update the web-app servlet specification from 2.3 to 3.0
> {code}
> xmlns="http://java.sun.com/xml/ns/javaee;
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>
> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;>
> {code}
> https://tomcat.apache.org/whichversion.html
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[
https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15059766#comment-15059766
]
Gareth Carter commented on OFBIZ-6655:
--
FYI, most of the local DTD/schemas are found in servlet-api-3.0.jar. The
LocalResolver in UtilXml will need to be changed or schema removed from all
web.xml files.
I believe tomcat OOTB uses this jar - see
https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/util/SchemaResolver.html,
however I have not looked into it with any depth
> Add session tracking mode and make cookie secure
>
>
> Key: OFBIZ-6655
> URL: https://issues.apache.org/jira/browse/OFBIZ-6655
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
>Affects Versions: Trunk, 14.12.01
>Reporter: Deepak Dixit
>Assignee: Deepak Dixit
> Attachments: OFBIA-6655.applications.patch,
> OFBIZ-6655.framework_themes.patch, sessionConifg_ecommerce.patch
>
>
> Need to enhance security at web-app level.
> As per current implementation:
> - The cookie containing the session identifier is not secure
> - The session identifier is transmitted in the query string of the URL
> To fix these issue we have to add following session config otpions in web.xml
> {code}
>
>
> true
> true
>
> COOKIE
>
> {code}
> Also we need to update the web-app servlet specification from 2.3 to 3.0
> {code}
> xmlns="http://java.sun.com/xml/ns/javaee;
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>
> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;>
> {code}
> https://tomcat.apache.org/whichversion.html
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[
https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15059767#comment-15059767
]
Gareth Carter commented on OFBIZ-6655:
--
FYI, most of the local DTD/schemas are found in servlet-api-3.0.jar. The
LocalResolver in UtilXml will need to be changed or schema removed from all
web.xml files.
I believe tomcat OOTB uses this jar - see
https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/util/SchemaResolver.html,
however I have not looked into it with any depth
> Add session tracking mode and make cookie secure
>
>
> Key: OFBIZ-6655
> URL: https://issues.apache.org/jira/browse/OFBIZ-6655
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
>Affects Versions: Trunk, 14.12.01
>Reporter: Deepak Dixit
>Assignee: Deepak Dixit
> Attachments: OFBIA-6655.applications.patch,
> OFBIZ-6655.framework_themes.patch, sessionConifg_ecommerce.patch
>
>
> Need to enhance security at web-app level.
> As per current implementation:
> - The cookie containing the session identifier is not secure
> - The session identifier is transmitted in the query string of the URL
> To fix these issue we have to add following session config otpions in web.xml
> {code}
>
>
> true
> true
>
> COOKIE
>
> {code}
> Also we need to update the web-app servlet specification from 2.3 to 3.0
> {code}
> xmlns="http://java.sun.com/xml/ns/javaee;
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>
> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;>
> {code}
> https://tomcat.apache.org/whichversion.html
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[
https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15055870#comment-15055870
]
Jacques Le Roux commented on OFBIZ-6655:
Yes all concerned specialpurpose components indeed (not POS for instance)
> Add session tracking mode and make cookie secure
>
>
> Key: OFBIZ-6655
> URL: https://issues.apache.org/jira/browse/OFBIZ-6655
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
>Affects Versions: Trunk, 14.12.01
>Reporter: Deepak Dixit
>Assignee: Jacques Le Roux
> Attachments: OFBIA-6655.applications.patch,
> OFBIZ-6655.framework_themes.patch, sessionConifg_ecommerce.patch
>
>
> Need to enhance security at web-app level.
> As per current implementation:
> - The cookie containing the session identifier is not secure
> - The session identifier is transmitted in the query string of the URL
> To fix these issue we have to add following session config otpions in web.xml
> {code}
>
>
> true
> true
>
> COOKIE
>
> {code}
> Also we need to update the web-app servlet specification from 2.3 to 3.0
> {code}
> xmlns="http://java.sun.com/xml/ns/javaee;
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>
> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;>
> {code}
> https://tomcat.apache.org/whichversion.html
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[
https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15055743#comment-15055743
]
Jacques Le Roux commented on OFBIZ-6655:
Committed in
trunk r1719872
R14.12 r1719874
Too much conflicts in older releases.
Still ecommerce webapps to fix...
> Add session tracking mode and make cookie secure
>
>
> Key: OFBIZ-6655
> URL: https://issues.apache.org/jira/browse/OFBIZ-6655
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
>Affects Versions: Trunk, 14.12.01
>Reporter: Deepak Dixit
>Assignee: Jacques Le Roux
> Attachments: OFBIA-6655.applications.patch,
> OFBIZ-6655.framework_themes.patch, sessionConifg_ecommerce.patch
>
>
> Need to enhance security at web-app level.
> As per current implementation:
> - The cookie containing the session identifier is not secure
> - The session identifier is transmitted in the query string of the URL
> To fix these issue we have to add following session config otpions in web.xml
> {code}
>
>
> true
> true
>
> COOKIE
>
> {code}
> Also we need to update the web-app servlet specification from 2.3 to 3.0
> {code}
> xmlns="http://java.sun.com/xml/ns/javaee;
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>
> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;>
> {code}
> https://tomcat.apache.org/whichversion.html
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[
https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15055693#comment-15055693
]
Jacques Le Roux commented on OFBIZ-6655:
I reviewed the patches
OFBIA-6655.applications.patch, there are 2 undesired parts:
Index: applications/order/build.xml (wrong)
Index: applications/order/widget/ordermgr/OrderMenus.xml (makes sens I'll apply
later: conflict anyway)
OFBIZ-6655.framework_themes.patch
Index: applications/order/build.xml (wrong)
Else applying them seems good and I confirm r1719762 at r1719764 are not
needed. I will commit them
> Add session tracking mode and make cookie secure
>
>
> Key: OFBIZ-6655
> URL: https://issues.apache.org/jira/browse/OFBIZ-6655
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
>Affects Versions: Trunk, 14.12.01
>Reporter: Deepak Dixit
>Assignee: Jacques Le Roux
> Attachments: OFBIA-6655.applications.patch,
> OFBIZ-6655.framework_themes.patch, sessionConifg_ecommerce.patch
>
>
> Need to enhance security at web-app level.
> As per current implementation:
> - The cookie containing the session identifier is not secure
> - The session identifier is transmitted in the query string of the URL
> To fix these issue we have to add following session config otpions in web.xml
> {code}
>
>
> true
> true
>
> COOKIE
>
> {code}
> Also we need to update the web-app servlet specification from 2.3 to 3.0
> {code}
> xmlns="http://java.sun.com/xml/ns/javaee;
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>
> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;>
> {code}
> https://tomcat.apache.org/whichversion.html
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[
https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15055779#comment-15055779
]
Jacques Le Roux commented on OFBIZ-6655:
>Index: applications/order/widget/ordermgr/OrderMenus.xml (makes sens I'll
>apply later: conflict anyway)
Already applied
> Add session tracking mode and make cookie secure
>
>
> Key: OFBIZ-6655
> URL: https://issues.apache.org/jira/browse/OFBIZ-6655
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
>Affects Versions: Trunk, 14.12.01
>Reporter: Deepak Dixit
>Assignee: Jacques Le Roux
> Attachments: OFBIA-6655.applications.patch,
> OFBIZ-6655.framework_themes.patch, sessionConifg_ecommerce.patch
>
>
> Need to enhance security at web-app level.
> As per current implementation:
> - The cookie containing the session identifier is not secure
> - The session identifier is transmitted in the query string of the URL
> To fix these issue we have to add following session config otpions in web.xml
> {code}
>
>
> true
> true
>
> COOKIE
>
> {code}
> Also we need to update the web-app servlet specification from 2.3 to 3.0
> {code}
> xmlns="http://java.sun.com/xml/ns/javaee;
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>
> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;>
> {code}
> https://tomcat.apache.org/whichversion.html
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[
https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15056104#comment-15056104
]
Jacques Le Roux commented on OFBIZ-6655:
OK, I changed my mind. I will not apply the sessionConifg_ecommerce.patch
because of the bug and I wonder about the other patches because they give a
false sense of security. So I will reapply r1719762.
This for 3 reasons:
# Tomcat protects the cookies which it cares about (session and SSO cookies)
but not all. Notably the OFBiz specific cookies, like visitorCookie. I guess
also trackableCookie, billableCookie, siteIdCookie, updatedTimeStampCookie,
guestShoppingListCookie, usernameCookieName and autoLoginCookie are not secured
with The data in those cookies are less sensible than jsessionId but anyway
it's safer to have them all secured.
# I don't want to debug the ecommerce issue I reported above. And if I don't
use the sessionConifg_ecommerce.patch but rather reapply r1719762 then it's OK
(if I also locally revert r1686574 done for OFBIz-6111, still waiting on this
one...)
# I see no reasons why someone would not want her cookies secured, as
recommended by OWASP and others
Even if it"s belt and suspenders, we can still keep the others the patches.
Notably because they also introduce the _COOKIE_
stuff.
Once debugged we can commit the the sessionConifg_ecommerce.patch, anyway in
the meantime it will be safe w/o it.
> Add session tracking mode and make cookie secure
>
>
> Key: OFBIZ-6655
> URL: https://issues.apache.org/jira/browse/OFBIZ-6655
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
>Affects Versions: Trunk, 14.12.01
>Reporter: Deepak Dixit
>Assignee: Jacques Le Roux
> Attachments: OFBIA-6655.applications.patch,
> OFBIZ-6655.framework_themes.patch, sessionConifg_ecommerce.patch
>
>
> Need to enhance security at web-app level.
> As per current implementation:
> - The cookie containing the session identifier is not secure
> - The session identifier is transmitted in the query string of the URL
> To fix these issue we have to add following session config otpions in web.xml
> {code}
>
>
> true
> true
>
> COOKIE
>
> {code}
> Also we need to update the web-app servlet specification from 2.3 to 3.0
> {code}
> xmlns="http://java.sun.com/xml/ns/javaee;
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>
> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;>
> {code}
> https://tomcat.apache.org/whichversion.html
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[
https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15056128#comment-15056128
]
Jacques Le Roux commented on OFBIZ-6655:
I reapplied (committed) r1719762 at revision: 1719939
> Add session tracking mode and make cookie secure
>
>
> Key: OFBIZ-6655
> URL: https://issues.apache.org/jira/browse/OFBIZ-6655
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
>Affects Versions: Trunk, 14.12.01
>Reporter: Deepak Dixit
>Assignee: Jacques Le Roux
> Attachments: OFBIA-6655.applications.patch,
> OFBIZ-6655.framework_themes.patch, sessionConifg_ecommerce.patch
>
>
> Need to enhance security at web-app level.
> As per current implementation:
> - The cookie containing the session identifier is not secure
> - The session identifier is transmitted in the query string of the URL
> To fix these issue we have to add following session config otpions in web.xml
> {code}
>
>
> true
> true
>
> COOKIE
>
> {code}
> Also we need to update the web-app servlet specification from 2.3 to 3.0
> {code}
> xmlns="http://java.sun.com/xml/ns/javaee;
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>
> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;>
> {code}
> https://tomcat.apache.org/whichversion.html
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[
https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15055977#comment-15055977
]
Jacques Le Roux commented on OFBIZ-6655:
At least, the ecommerece issue is unrelated with OFBIZ-6111...WIP...
> Add session tracking mode and make cookie secure
>
>
> Key: OFBIZ-6655
> URL: https://issues.apache.org/jira/browse/OFBIZ-6655
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
>Affects Versions: Trunk, 14.12.01
>Reporter: Deepak Dixit
>Assignee: Jacques Le Roux
> Attachments: OFBIA-6655.applications.patch,
> OFBIZ-6655.framework_themes.patch, sessionConifg_ecommerce.patch
>
>
> Need to enhance security at web-app level.
> As per current implementation:
> - The cookie containing the session identifier is not secure
> - The session identifier is transmitted in the query string of the URL
> To fix these issue we have to add following session config otpions in web.xml
> {code}
>
>
> true
> true
>
> COOKIE
>
> {code}
> Also we need to update the web-app servlet specification from 2.3 to 3.0
> {code}
> xmlns="http://java.sun.com/xml/ns/javaee;
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>
> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;>
> {code}
> https://tomcat.apache.org/whichversion.html
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[
https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15055777#comment-15055777
]
Pierre Smits commented on OFBIZ-6655:
-
And cmssite, of course.
> Add session tracking mode and make cookie secure
>
>
> Key: OFBIZ-6655
> URL: https://issues.apache.org/jira/browse/OFBIZ-6655
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
>Affects Versions: Trunk, 14.12.01
>Reporter: Deepak Dixit
>Assignee: Jacques Le Roux
> Attachments: OFBIA-6655.applications.patch,
> OFBIZ-6655.framework_themes.patch, sessionConifg_ecommerce.patch
>
>
> Need to enhance security at web-app level.
> As per current implementation:
> - The cookie containing the session identifier is not secure
> - The session identifier is transmitted in the query string of the URL
> To fix these issue we have to add following session config otpions in web.xml
> {code}
>
>
> true
> true
>
> COOKIE
>
> {code}
> Also we need to update the web-app servlet specification from 2.3 to 3.0
> {code}
> xmlns="http://java.sun.com/xml/ns/javaee;
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>
> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;>
> {code}
> https://tomcat.apache.org/whichversion.html
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[
https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15056397#comment-15056397
]
Jacques Le Roux commented on OFBIZ-6655:
BTW, I found this in log after r1719872
{code}
[java] 2015-12-14 17:42:35,607 |catalina-startup-8 |UtilXml
|W| [UtilXml.LocalResolver.resolveEntity] could not find LOCAL
DTD/Schema with publicId [null] and the file/resource is
[web-app_3_0.xsd]
[java] 2015-12-14 17:42:35,620 |catalina-startup-5 |UtilXml
|W| [UtilXml.LocalResolver.resolveEntity] could not find LOCAL
DTD/Schema with publicId [null] and the file/resource is
[web-app_3_0.xsd]
[java] 2015-12-14 17:42:35,626 |catalina-startup-2 |UtilXml
|W| [UtilXml.LocalResolver.resolveEntity] could not find LOCAL
DTD/Schema with publicId [null] and the file/resource is
[web-app_3_0.xsd]
[java] 2015-12-14 17:42:35,627 |catalina-startup-4 |UtilXml
|W| [UtilXml.LocalResolver.resolveEntity] could not find LOCAL
DTD/Schema with publicId [null] and the file/resource is
[web-app_3_0.xsd]
[java] 2015-12-14 17:42:35,630 |catalina-startup-6 |UtilXml
|W| [UtilXml.LocalResolver.resolveEntity] could not find LOCAL
DTD/Schema with publicId [null] and the file/resource is
[web-app_3_0.xsd]
[java] 2015-12-14 17:42:35,634 |catalina-startup-1 |UtilXml
|W| [UtilXml.LocalResolver.resolveEntity] could not find LOCAL
DTD/Schema with publicId [null] and the file/resource is
[web-app_3_0.xsd]
[java] 2015-12-14 17:42:35,637 |catalina-startup-3 |UtilXml
|W| [UtilXml.LocalResolver.resolveEntity] could not find LOCAL
DTD/Schema with publicId [null] and the file/resource is
[web-app_3_0.xsd]
[java] 2015-12-14 17:42:35,638 |catalina-startup-7 |UtilXml
|W| [UtilXml.LocalResolver.resolveEntity] could not find LOCAL
DTD/Schema with publicId [null] and the file/resource is
[web-app_3_0.xsd]
[java] 2015-12-14 17:42:36,577 |catalina-startup-7 |UtilXml
|W| [UtilXml.LocalResolver.resolveEntity] could not find LOCAL
DTD/Schema with publicId [null] and the file/resource is
[web-common_3_0.xsd]
[java] 2015-12-14 17:42:36,588 |catalina-startup-5 |UtilXml
|W| [UtilXml.LocalResolver.resolveEntity] could not find LOCAL
DTD/Schema with publicId [null] and the file/resource is
[web-common_3_0.xsd]
[java] 2015-12-14 17:42:36,601 |catalina-startup-8 |UtilXml
|W| [UtilXml.LocalResolver.resolveEntity] could not find LOCAL
DTD/Schema with publicId [null] and the file/resource is
[web-common_3_0.xsd]
[java] 2015-12-14 17:42:36,615 |catalina-startup-1 |UtilXml
|W| [UtilXml.LocalResolver.resolveEntity] could not find LOCAL
DTD/Schema with publicId [null] and the file/resource is
[web-common_3_0.xsd]
[java] 2015-12-14 17:42:36,629 |catalina-startup-4 |UtilXml
|W| [UtilXml.LocalResolver.resolveEntity] could not find LOCAL
DTD/Schema with publicId [null] and the file/resource is
[web-common_3_0.xsd]
[java] 2015-12-14 17:42:36,643 |catalina-startup-2 |UtilXml
|W| [UtilXml.LocalResolver.resolveEntity] could not find LOCAL
DTD/Schema with publicId [null] and the file/resource is
[web-common_3_0.xsd]
[java] 2015-12-14 17:42:36,667 |catalina-startup-3 |UtilXml
|W| [UtilXml.LocalResolver.resolveEntity] could not find LOCAL
DTD/Schema with publicId [null] and the file/resource is
[web-common_3_0.xsd]
[java] 2015-12-14 17:42:36,899 |catalina-startup-5 |UtilXml
|W| [UtilXml.LocalResolver.resolveEntity] could not find LOCAL
DTD/Schema with publicId [null] and the file/resource is
[javaee_6.xsd]
[java] 2015-12-14 17:42:36,938 |catalina-startup-8 |UtilXml
|W| [UtilXml.LocalResolver.resolveEntity] could not find LOCAL
DTD/Schema with publicId [null] and the file/resource is
[javaee_6.xsd]
[java] 2015-12-14 17:42:36,975 |catalina-startup-1 |UtilXml
|W| [UtilXml.LocalResolver.resolveEntity] could not find LOCAL
DTD/Schema with publicId [null] and the file/resource is
[javaee_6.xsd]
[java] 2015-12-14 17:42:37,013 |catalina-startup-4 |UtilXml
|W| [UtilXml.LocalResolver.resolveEntity] could not find LOCAL
DTD/Schema with publicId [null] and the file/resource is
[javaee_6.xsd]
[java] 2015-12-14 17:42:37,050 |catalina-startup-2 |UtilXml
|W| [UtilXml.LocalResolver.resolveEntity] could not find LOCAL
DTD/Schema with publicId [null] and the file/resource is
[javaee_6.xsd]
[java] 2015-12-14 17:42:37,092 |catalina-startup-3 |UtilXml
|W|
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[
https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15056400#comment-15056400
]
Jacques Le Roux commented on OFBIZ-6655:
As said Pierre, we should not forget the specialpurpose components
> Add session tracking mode and make cookie secure
>
>
> Key: OFBIZ-6655
> URL: https://issues.apache.org/jira/browse/OFBIZ-6655
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
>Affects Versions: Trunk, 14.12.01
>Reporter: Deepak Dixit
>Assignee: Deepak Dixit
> Attachments: OFBIA-6655.applications.patch,
> OFBIZ-6655.framework_themes.patch, sessionConifg_ecommerce.patch
>
>
> Need to enhance security at web-app level.
> As per current implementation:
> - The cookie containing the session identifier is not secure
> - The session identifier is transmitted in the query string of the URL
> To fix these issue we have to add following session config otpions in web.xml
> {code}
>
>
> true
> true
>
> COOKIE
>
> {code}
> Also we need to update the web-app servlet specification from 2.3 to 3.0
> {code}
> xmlns="http://java.sun.com/xml/ns/javaee;
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>
> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;>
> {code}
> https://tomcat.apache.org/whichversion.html
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[
https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15055502#comment-15055502
]
Jacques Le Roux commented on OFBIZ-6655:
Except proved otherwise I see no reasons to not apply the
"OFBIZ-6655.framework_themes.patch" and "OFBIA-6655.applications.patch". I will
though test we have not the same side effect than on ecommerce on order manager
side...WIP...
> Add session tracking mode and make cookie secure
>
>
> Key: OFBIZ-6655
> URL: https://issues.apache.org/jira/browse/OFBIZ-6655
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
>Affects Versions: Trunk, 14.12.01
>Reporter: Deepak Dixit
>Assignee: Jacques Le Roux
> Attachments: OFBIA-6655.applications.patch,
> OFBIZ-6655.framework_themes.patch, sessionConifg_ecommerce.patch
>
>
> Need to enhance security at web-app level.
> As per current implementation:
> - The cookie containing the session identifier is not secure
> - The session identifier is transmitted in the query string of the URL
> To fix these issue we have to add following session config otpions in web.xml
> {code}
>
>
> true
> true
>
> COOKIE
>
> {code}
> Also we need to update the web-app servlet specification from 2.3 to 3.0
> {code}
> xmlns="http://java.sun.com/xml/ns/javaee;
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>
> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;>
> {code}
> https://tomcat.apache.org/whichversion.html
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[
https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15054797#comment-15054797
]
Jacques Le Roux commented on OFBIZ-6655:
After reading
https://tomcat.apache.org/migration-7.html#Session_cookie_configuration I see
that http-only is now by defaut in Tomcat 7. Still my r1719762 might secure
those who would want to use another app server. I will check if the issue we
have in ecommerce is not related to JavaScript trying to use cookies...
> Add session tracking mode and make cookie secure
>
>
> Key: OFBIZ-6655
> URL: https://issues.apache.org/jira/browse/OFBIZ-6655
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
>Affects Versions: Trunk, 14.12.01
>Reporter: Deepak Dixit
>Assignee: Deepak Dixit
> Attachments: OFBIA-6655.applications.patch,
> OFBIZ-6655.framework_themes.patch, sessionConifg_ecommerce.patch
>
>
> Need to enhance security at web-app level.
> As per current implementation:
> - The cookie containing the session identifier is not secure
> - The session identifier is transmitted in the query string of the URL
> To fix these issue we have to add following session config otpions in web.xml
> {code}
>
>
> true
> true
>
> COOKIE
>
> {code}
> Also we need to update the web-app servlet specification from 2.3 to 3.0
> {code}
> xmlns="http://java.sun.com/xml/ns/javaee;
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>
> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;>
> {code}
> https://tomcat.apache.org/whichversion.html
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[
https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15054800#comment-15054800
]
Jacques Le Roux commented on OFBIZ-6655:
Ha no indeed, this is not Tomcat 7 specific but Servlet 3.0 standard. So It's
indeed a better way because it's configurable. I will revert my change, review
the attached patches and hopefully apply them before trying to fix the
ecommerce issue...
> Add session tracking mode and make cookie secure
>
>
> Key: OFBIZ-6655
> URL: https://issues.apache.org/jira/browse/OFBIZ-6655
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
>Affects Versions: Trunk, 14.12.01
>Reporter: Deepak Dixit
>Assignee: Deepak Dixit
> Attachments: OFBIA-6655.applications.patch,
> OFBIZ-6655.framework_themes.patch, sessionConifg_ecommerce.patch
>
>
> Need to enhance security at web-app level.
> As per current implementation:
> - The cookie containing the session identifier is not secure
> - The session identifier is transmitted in the query string of the URL
> To fix these issue we have to add following session config otpions in web.xml
> {code}
>
>
> true
> true
>
> COOKIE
>
> {code}
> Also we need to update the web-app servlet specification from 2.3 to 3.0
> {code}
> xmlns="http://java.sun.com/xml/ns/javaee;
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>
> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;>
> {code}
> https://tomcat.apache.org/whichversion.html
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[
https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15054795#comment-15054795
]
Jacques Le Roux commented on OFBIZ-6655:
At r1719762 I have secured cookies where needed with setCookie
(setSecure(true) and setHttpOnly(true)). It has the advantage of securing
cookies the same way but not only in Tomcat7+.
I though see no reason why not using
{code}
{config}
true
true
COOKIE
{config}
{code}
{code}
true
true
{code}
Can be seen as redundant but only OOTB. So better to set it indeed, same for
tracking-mode. Those should be the only changes... At least in a 1st step. All
other changes, if really necessary, should be done separately, even better in
another Jira...
OK I just checked, I need to do more work because the same issues than in my
comment above arise. This time I will not revert, but will ASAP fix the reason
we get issues when securing cookies :/
> Add session tracking mode and make cookie secure
>
>
> Key: OFBIZ-6655
> URL: https://issues.apache.org/jira/browse/OFBIZ-6655
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
>Affects Versions: Trunk, 14.12.01
>Reporter: Deepak Dixit
>Assignee: Deepak Dixit
> Attachments: OFBIA-6655.applications.patch,
> OFBIZ-6655.framework_themes.patch, sessionConifg_ecommerce.patch
>
>
> Need to enhance security at web-app level.
> As per current implementation:
> - The cookie containing the session identifier is not secure
> - The session identifier is transmitted in the query string of the URL
> To fix these issue we have to add following session config otpions in web.xml
> {code}
>
>
> true
> true
>
> COOKIE
>
> {code}
> Also we need to update the web-app servlet specification from 2.3 to 3.0
> {code}
> xmlns="http://java.sun.com/xml/ns/javaee;
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>
> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;>
> {code}
> https://tomcat.apache.org/whichversion.html
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[
https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15054804#comment-15054804
]
Jacques Le Roux commented on OFBIZ-6655:
I reverted r1719762 at r1719764, I wonder if the ecommerce issue is not related
with OFBIZ-6111
> Add session tracking mode and make cookie secure
>
>
> Key: OFBIZ-6655
> URL: https://issues.apache.org/jira/browse/OFBIZ-6655
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
>Affects Versions: Trunk, 14.12.01
>Reporter: Deepak Dixit
>Assignee: Jacques Le Roux
> Attachments: OFBIA-6655.applications.patch,
> OFBIZ-6655.framework_themes.patch, sessionConifg_ecommerce.patch
>
>
> Need to enhance security at web-app level.
> As per current implementation:
> - The cookie containing the session identifier is not secure
> - The session identifier is transmitted in the query string of the URL
> To fix these issue we have to add following session config otpions in web.xml
> {code}
>
>
> true
> true
>
> COOKIE
>
> {code}
> Also we need to update the web-app servlet specification from 2.3 to 3.0
> {code}
> xmlns="http://java.sun.com/xml/ns/javaee;
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>
> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;>
> {code}
> https://tomcat.apache.org/whichversion.html
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[
https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15023838#comment-15023838
]
Jacques Le Roux commented on OFBIZ-6655:
I reverted r1715506 at revision: 1716036. The issues I crossed:
Get to localhost:8080/ecommerce/control/main
Add a product, instead of stating on the main page you get to the cart page
despite having the "Always View Cart After Adding An Item. " not checked. Then
eg:
Scenario 1
Use the Recalculate option at top => You get "Your Shopping Cart Empty"
Scenario 2
Use the Continue Shopping option at top => your cart is empty
Scenario 3
Use the checkout link on top
Login with DemoCustomer
Use the Quick Checkout option
Use the main link on top => your cart is empty
> Add session tracking mode and make cookie secure
>
>
> Key: OFBIZ-6655
> URL: https://issues.apache.org/jira/browse/OFBIZ-6655
> Project: OFBiz
> Issue Type: Improvement
> Components: ALL COMPONENTS
>Affects Versions: Trunk, 14.12.01
>Reporter: Deepak Dixit
>Assignee: Deepak Dixit
> Attachments: OFBIA-6655.applications.patch,
> OFBIZ-6655.framework_themes.patch, sessionConifg_ecommerce.patch
>
>
> Need to enhance security at web-app level.
> As per current implementation:
> - The cookie containing the session identifier is not secure
> - The session identifier is transmitted in the query string of the URL
> To fix these issue we have to add following session config otpions in web.xml
> {code}
>
>
> true
> true
>
> COOKIE
>
> {code}
> Also we need to update the web-app servlet specification from 2.3 to 3.0
> {code}
> xmlns="http://java.sun.com/xml/ns/javaee;
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>
> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;>
> {code}
> https://tomcat.apache.org/whichversion.html
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[
https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15020526#comment-15020526
]
Jacques Le Roux commented on OFBIZ-6655:
OK, not a big deal, I guess/hope Eclipse will tell us to update it when needed
> Add session tracking mode and make cookie secure
>
>
> Key: OFBIZ-6655
> URL: https://issues.apache.org/jira/browse/OFBIZ-6655
> Project: OFBiz
> Issue Type: Improvement
> Components: ALL COMPONENTS
>Affects Versions: Trunk, 14.12.01
>Reporter: Deepak Dixit
>Assignee: Deepak Dixit
> Attachments: OFBIA-6655.applications.patch,
> OFBIZ-6655.framework_themes.patch, sessionConifg_ecommerce.patch
>
>
> Need to enhance security at web-app level.
> As per current implementation:
> - The cookie containing the session identifier is not secure
> - The session identifier is transmitted in the query string of the URL
> To fix these issue we have to add following session config otpions in web.xml
> {code}
>
>
> true
> true
>
> COOKIE
>
> {code}
> Also we need to update the web-app servlet specification from 2.3 to 3.0
> {code}
> xmlns="http://java.sun.com/xml/ns/javaee;
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>
> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;>
> {code}
> https://tomcat.apache.org/whichversion.html
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[
https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15020400#comment-15020400
]
Deepak Dixit commented on OFBIZ-6655:
-
Jacques, eclipse xml validation says version is require field for web-app
element so we need to add version on it.
> Add session tracking mode and make cookie secure
>
>
> Key: OFBIZ-6655
> URL: https://issues.apache.org/jira/browse/OFBIZ-6655
> Project: OFBiz
> Issue Type: Improvement
> Components: ALL COMPONENTS
>Affects Versions: Trunk, 14.12.01
>Reporter: Deepak Dixit
>Assignee: Deepak Dixit
>
> Need to enhance security at web-app level.
> As per current implementation:
> - The cookie containing the session identifier is not secure
> - The session identifier is transmitted in the query string of the URL
> To fix these issue we have to add following session config otpions in web.xml
> {code}
>
>
> true
> true
>
> COOKIE
>
> {code}
> Also we need to update the web-app servlet specification from 2.3 to 3.0
> {code}
> xmlns="http://java.sun.com/xml/ns/javaee;
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>
> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;>
> {code}
> https://tomcat.apache.org/whichversion.html
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[
https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15020397#comment-15020397
]
Deepak Dixit commented on OFBIZ-6655:
-
You are right Jacques, we don't need add the version="3.0", I'll commit the
changes ASAP
> Add session tracking mode and make cookie secure
>
>
> Key: OFBIZ-6655
> URL: https://issues.apache.org/jira/browse/OFBIZ-6655
> Project: OFBiz
> Issue Type: Improvement
> Components: ALL COMPONENTS
>Affects Versions: Trunk, 14.12.01
>Reporter: Deepak Dixit
>Assignee: Deepak Dixit
>
> Need to enhance security at web-app level.
> As per current implementation:
> - The cookie containing the session identifier is not secure
> - The session identifier is transmitted in the query string of the URL
> To fix these issue we have to add following session config otpions in web.xml
> {code}
>
>
> true
> true
>
> COOKIE
>
> {code}
> Also we need to update the web-app servlet specification from 2.3 to 3.0
> {code}
> xmlns="http://java.sun.com/xml/ns/javaee;
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>
> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;>
> {code}
> https://tomcat.apache.org/whichversion.html
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[
https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14942121#comment-14942121
]
Deepak Dixit commented on OFBIZ-6655:
-
Let me check.
> Add session tracking mode and make cookie secure
>
>
> Key: OFBIZ-6655
> URL: https://issues.apache.org/jira/browse/OFBIZ-6655
> Project: OFBiz
> Issue Type: Improvement
> Components: ALL COMPONENTS
>Affects Versions: Trunk, 14.12.01
>Reporter: Deepak Dixit
>Assignee: Deepak Dixit
>
> Need to enhance security at web-app level.
> As per current implementation:
> - The cookie containing the session identifier is not secure
> - The session identifier is transmitted in the query string of the URL
> To fix these issue we have to add following session config otpions in web.xml
> {code}
>
>
> true
> true
>
> COOKIE
>
> {code}
> Also we need to update the web-app servlet specification from 2.3 to 3.0
> {code}
> xmlns="http://java.sun.com/xml/ns/javaee;
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>
> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;>
> {code}
> https://tomcat.apache.org/whichversion.html
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[
https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14909280#comment-14909280
]
Jacques Le Roux commented on OFBIZ-6655:
Hi Deepak,
I don't think we need to put
{code}
https://tomcat.apache.org/tomcat-7.0-doc/appdev/web.xml.txt and
https://download.oracle.com/otn-pub/jcp/servlet-3.0-fr-oth-JSpec/servlet-3_0-final-spec.pdf
chapter 14
The issue I foresee is if we don't when we will upgrade Tomcat we will not need
to update, it it will be automatically done.
On the other hand we could keep the rest (xmlns, etc.). Did I miss something?
> Add session tracking mode and make cookie secure
>
>
> Key: OFBIZ-6655
> URL: https://issues.apache.org/jira/browse/OFBIZ-6655
> Project: OFBiz
> Issue Type: Improvement
> Components: ALL COMPONENTS
>Affects Versions: Trunk, 14.12.01
>Reporter: Deepak Dixit
>Assignee: Deepak Dixit
>
> Need to enhance security at web-app level.
> As per current implementation:
> - The cookie containing the session identifier is not secure
> - The session identifier is transmitted in the query string of the URL
> To fix these issue we have to add following session config otpions in web.xml
> {code}
>
>
> true
> true
>
> COOKIE
>
> {code}
> Also we need to update the web-app servlet specification from 2.3 to 3.0
> {code}
> xmlns="http://java.sun.com/xml/ns/javaee;
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>
> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;>
> {code}
> https://tomcat.apache.org/whichversion.html
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
