[ https://issues.apache.org/jira/browse/OFBIZ-6867?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15134153#comment-15134153 ]
Jacques Le Roux commented on OFBIZ-6867: ---------------------------------------- Completed at r1728660 (no functional change, just get rid of the "cookies" now unused variable) > Remove forceManualJsessionid feature > ------------------------------------ > > Key: OFBIZ-6867 > URL: https://issues.apache.org/jira/browse/OFBIZ-6867 > Project: OFBiz > Issue Type: Sub-task > Components: framework > Affects Versions: Trunk > Reporter: Jacques Le Roux > Assignee: Jacques Le Roux > Fix For: Upcoming Branch > > > This follows this [Scott's > comment|https://issues.apache.org/jira/browse/OFBIZ-6111?focusedCommentId=15076677] > in OFBIZ-6111. > I totally agree and will also create an issue to remove forceHttpSession. We > should always use HTTPS as explained at OFBIZ-6849 > I will also create an issue to get rid of the session-cookie-accepted > feature. When the present issue will be done, it will no longer be used OOTB > and anyway should not be needed > We should always use sessionIds in cookies and newer have sessionsIds in > URLs. So I will create another issue to remove all sessionsIds in URLs. There > are 2 cases: > # the part related to spiders in RequestHandler > # HtmlFormRenderer.appendExternalLoginKey() (there is also an > appendExternalLoginKey mtehod in MacroFormRenderer class but it's not used > OOTB) > There are also many cases where we show the sessionId in logs (using > UtilHttp.getSessionId()) I wonder if we should not keep those commented out > or change the debug info level. Also HttpSessionEvent.getSession().getId() is > directly used in some places for the same purpose (log) > These are more improvement sub-tasks but we will decide later if we want to > backport them because it's security issues but could have an impact on custom > projects based on releases. -- This message was sent by Atlassian JIRA (v6.3.4#6332)