Servlet spec 3.0 is implemented in Tomcat versions 7.x. In trunk (and release branch 14.x) we use Tomcat 7.0.64.
So this can be applied in future release branches as well as in r14.x Best regards, Pierre Smits *OFBiz Extensions Marketplace* http://oem.ofbizci.net On Thu, Sep 24, 2015 at 11:27 AM, Deepak Dixit < [email protected]> wrote: > Hi Dev, > > I would like to propose some security enhancement at web-app level. > IMO we have to enhance sessionId and cookie tracking. As per current > implementation: > - The cookie containing the session identifier is not secure > - The session identifier is transmitted in the query string of the URL > > We can add following configuration in web.xml to fix the above issue: > > <session-config> > <cookie-config> > <http-only>true</http-only> > <secure>true</secure> > </cookie-config> > <tracking-mode>COOKIE</tracking-mode> > </session-config> > > To use cookie-config and tracking-mode we need to update the servlet > specification to 3.0 > https://tomcat.apache.org/whichversion.html > > > Thanks & Regards > — > Deepak Dixit > > >
