Hi Dev,
I would like to propose some security enhancement at web-app level.
IMO we have to enhance sessionId and cookie tracking. As per current
implementation:
- The cookie containing the session identifier is not secure
- The session identifier is transmitted in the query string of the URL
We can add following configuration in web.xml to fix the above issue:
<session-config>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
To use cookie-config and tracking-mode we need to update the servlet
specification to 3.0
https://tomcat.apache.org/whichversion.html
Thanks & Regards
—
Deepak Dixit
