Hi Dev, I would like to propose some security enhancement at web-app level. IMO we have to enhance sessionId and cookie tracking. As per current implementation: - The cookie containing the session identifier is not secure - The session identifier is transmitted in the query string of the URL
We can add following configuration in web.xml to fix the above issue: <session-config> <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> <tracking-mode>COOKIE</tracking-mode> </session-config> To use cookie-config and tracking-mode we need to update the servlet specification to 3.0 https://tomcat.apache.org/whichversion.html Thanks & Regards — Deepak Dixit