Author: jleroux Date: Wed Oct 18 15:01:04 2017 New Revision: 1812540 URL: http://svn.apache.org/viewvc?rev=1812540&view=rev Log: Improved: Enhance cookies security (OFBIZ-9865)
Working on OFBIZ-6766, I was reading https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#SameSite_Attribute and decided to slightly improve our cookies security Modified: ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/WebAppServletContextListener.java Modified: ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java?rev=1812540&r1=1812539&r2=1812540&view=diff ============================================================================== --- ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java (original) +++ ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java Wed Oct 18 15:01:04 2017 @@ -978,6 +978,8 @@ public class RequestHandler { // https://wiki.mozilla.org/Security/Features/XSS_Filter // https://bugzilla.mozilla.org/show_bug.cgi?id=528661 resp.addHeader("X-XSS-Protection","1; mode=block"); + + resp.setHeader("Set-Cookie", "SameSite=strict"); // TODO maybe one day the ServletContext will allow to do that, then better in WebAppServletContextListener try { if (Debug.verboseOn()) Debug.logVerbose("Rendering view [" + nextPage + "] of type [" + viewMap.type + "]", module); Modified: ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/WebAppServletContextListener.java URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/WebAppServletContextListener.java?rev=1812540&r1=1812539&r2=1812540&view=diff ============================================================================== --- ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/WebAppServletContextListener.java (original) +++ ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/WebAppServletContextListener.java Wed Oct 18 15:01:04 2017 @@ -27,6 +27,8 @@ import javax.servlet.SessionCookieConfig import javax.servlet.SessionTrackingMode; import javax.servlet.annotation.WebListener; +import org.apache.ofbiz.base.util.UtilProperties; + @WebListener public class WebAppServletContextListener implements ServletContextListener { @@ -40,6 +42,11 @@ public class WebAppServletContextListene SessionCookieConfig sessionCookieConfig = servletContext.getSessionCookieConfig(); sessionCookieConfig.setHttpOnly(true); sessionCookieConfig.setSecure(true); + sessionCookieConfig.setComment("Created by Apache OFBiz WebAppServletContextListener"); + String cookieDomain = UtilProperties.getPropertyValue("url", "cookie.domain", ""); + if (cookieDomain.length() > 0) sessionCookieConfig.setDomain(cookieDomain); + sessionCookieConfig.setMaxAge(60 * 60 * 24 * 365); + sessionCookieConfig.setPath(servletContext.getContextPath()); } /* (non-Javadoc)
