Thanks Pierre and Jacques. I opened ticket for the same: https://issues.apache.org/jira/browse/OFBIZ-6655
Thanks & Regards — Deepak Dixit > On Sep 24, 2015, at 5:35 PM, Jacques Le Roux <[email protected]> > wrote: > > That's quite a good news, thanks Deepak and Pierre! > > Jacques > > Le 24/09/2015 11:44, Pierre Smits a écrit : >> Servlet spec 3.0 is implemented in Tomcat versions 7.x. In trunk (and >> release branch 14.x) we use Tomcat 7.0.64. >> >> So this can be applied in future release branches as well as in r14.x >> >> Best regards, >> >> Pierre Smits >> >> *OFBiz Extensions Marketplace* >> http://oem.ofbizci.net >> >> On Thu, Sep 24, 2015 at 11:27 AM, Deepak Dixit < >> [email protected]> wrote: >> >>> Hi Dev, >>> >>> I would like to propose some security enhancement at web-app level. >>> IMO we have to enhance sessionId and cookie tracking. As per current >>> implementation: >>> - The cookie containing the session identifier is not secure >>> - The session identifier is transmitted in the query string of the URL >>> >>> We can add following configuration in web.xml to fix the above issue: >>> >>> <session-config> >>> <cookie-config> >>> <http-only>true</http-only> >>> <secure>true</secure> >>> </cookie-config> >>> <tracking-mode>COOKIE</tracking-mode> >>> </session-config> >>> >>> To use cookie-config and tracking-mode we need to update the servlet >>> specification to 3.0 >>> https://tomcat.apache.org/whichversion.html >>> >>> >>> Thanks & Regards >>> — >>> Deepak Dixit >>> >>> >>>
