[
https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15105952#comment-15105952
]
Jacques Le Roux commented on OFBIZ-6655:
----------------------------------------
Hi Deepak,
You
{quote}
Reverted r1719762, as system fails to find the session cookie for ecommerce,
will debug it in more detail but for now to fix this issue reverting r1719762
at r#1722379.
{quote}
Then you applied r1724940. Could you please explain in detail the issue you got
with r1719762 that you did not get with r1724940? Was this not related to
OFBIZ-6111 ? Or javascript not able to access the session cookie? Did you test
using an OFBiz localhost instance? This questions because we will ultimately
need to secure all OFBiz cookies, not only the session cookies.
There are more considerations to take into account, notably that I have
introduced _strict-transport-security_ with r1719660 (OFBIZ-6766).
The point is you should set _<secure>true</secure>_ ONLY if you are only
serving https content, for mixed content this setting in NOT recommended. But
with the introduction of _strict-transport-security_ things are blurred.
Anyway I will soon open a new Jira for that and other related points or maybe
simply another post to the "Performance over security, is that reasonable?"
thread.
> Add session tracking mode and make cookie secure
> ------------------------------------------------
>
> Key: OFBIZ-6655
> URL: https://issues.apache.org/jira/browse/OFBIZ-6655
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
> Affects Versions: Trunk, 14.12.01
> Reporter: Deepak Dixit
> Assignee: Deepak Dixit
> Fix For: 14.12.01, Upcoming Branch, Release Branch 15.12
>
> Attachments: OFBIA-6655.applications.patch,
> OFBIZ-6655.framework_themes.patch, OFBIZ-6655_specialpurpose_leftover.patch,
> sessionConifg_ecommerce.patch
>
>
> Need to enhance security at web-app level.
> As per current implementation:
> - The cookie containing the session identifier is not secure
> - The session identifier is transmitted in the query string of the URL
> To fix these issue we have to add following session config otpions in web.xml
> {code}
> <session-config>
> <cookie-config>
> <http-only>true</http-only>
> <secure>true</secure>
> </cookie-config>
> <tracking-mode>COOKIE</tracking-mode>
> </session-config>
> {code}
> Also we need to update the web-app servlet specification from 2.3 to 3.0
> {code}
> <web-app version="3.0"
> xmlns="http://java.sun.com/xml/ns/javaee";
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>
> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd";>
> {code}
> https://tomcat.apache.org/whichversion.html
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
