[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[
https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16741116#comment-16741116
]
Deepak Nigam commented on OFBIZ-6655:
-
Hi [~jacques.le.roux],
On double checking, I found that
/applications/marketing/webapp/marketing/WEB-INF/web.xml and
/applications/party/webapp/partymgr/WEB-INF/web.xml files have been missed.
Attached the patch for the same.
Apart from that, I think we need to work for web.xml of various plugins also.
> Add session tracking mode and make cookie secure
>
>
> Key: OFBIZ-6655
> URL: https://issues.apache.org/jira/browse/OFBIZ-6655
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
>Affects Versions: Trunk, 14.12.01
>Reporter: Deepak Dixit
>Assignee: Jacques Le Roux
>Priority: Major
> Fix For: 14.12.01, 15.12.01, 17.12.01, 18.12.01
>
> Attachments: OFBIA-6655.applications.patch,
> OFBIZ-6655-programmatically-session-cookies-plugins.patch,
> OFBIZ-6655-programmatically-session-cookies-trunk.patch,
> OFBIZ-6655.framework_themes.patch, OFBIZ-6655_specialpurpose_leftover.patch,
> sessionConifg_ecommerce.patch
>
>
> Need to enhance security at web-app level.
> As per current implementation:
> - The cookie containing the session identifier is not secure
> - The session identifier is transmitted in the query string of the URL
> To fix these issue we have to add following session config otpions in web.xml
> {code}
>
>
> true
> true
>
> COOKIE
>
> {code}
> Also we need to update the web-app servlet specification from 2.3 to 3.0
> {code}
> xmlns="http://java.sun.com/xml/ns/javaee;
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>
> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;>
> {code}
> https://tomcat.apache.org/whichversion.html
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[
https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16180818#comment-16180818
]
Jacques Le Roux commented on OFBIZ-6655:
I'll commit these patches in a week, please review, thanks
> Add session tracking mode and make cookie secure
>
>
> Key: OFBIZ-6655
> URL: https://issues.apache.org/jira/browse/OFBIZ-6655
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
>Affects Versions: Trunk, 14.12.01
>Reporter: Deepak Dixit
>Assignee: Jacques Le Roux
> Fix For: 14.12.01, 15.12.01
>
> Attachments: OFBIA-6655.applications.patch,
> OFBIZ-6655.framework_themes.patch,
> OFBIZ-6655-programmatically-session-cookies-plugins.patch,
> OFBIZ-6655-programmatically-session-cookies-trunk.patch,
> OFBIZ-6655_specialpurpose_leftover.patch, sessionConifg_ecommerce.patch
>
>
> Need to enhance security at web-app level.
> As per current implementation:
> - The cookie containing the session identifier is not secure
> - The session identifier is transmitted in the query string of the URL
> To fix these issue we have to add following session config otpions in web.xml
> {code}
>
>
> true
> true
>
> COOKIE
>
> {code}
> Also we need to update the web-app servlet specification from 2.3 to 3.0
> {code}
> xmlns="http://java.sun.com/xml/ns/javaee;
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>
> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;>
> {code}
> https://tomcat.apache.org/whichversion.html
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (OFBIZ-6655) Add session tracking mode and make cookie secure
[
https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16180789#comment-16180789
]
Jacques Le Roux commented on OFBIZ-6655:
Thanks for your review Pradhan (and not Yash as I used in dev ML, sorry)
> Add session tracking mode and make cookie secure
>
>
> Key: OFBIZ-6655
> URL: https://issues.apache.org/jira/browse/OFBIZ-6655
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
>Affects Versions: Trunk, 14.12.01
>Reporter: Deepak Dixit
>Assignee: Jacques Le Roux
> Fix For: 14.12.01, 15.12.01
>
> Attachments: OFBIA-6655.applications.patch,
> OFBIZ-6655.framework_themes.patch,
> OFBIZ-6655-programmatically-session-cookies-plugins.patch,
> OFBIZ-6655-programmatically-session-cookies-trunk.patch,
> OFBIZ-6655_specialpurpose_leftover.patch, sessionConifg_ecommerce.patch
>
>
> Need to enhance security at web-app level.
> As per current implementation:
> - The cookie containing the session identifier is not secure
> - The session identifier is transmitted in the query string of the URL
> To fix these issue we have to add following session config otpions in web.xml
> {code}
>
>
> true
> true
>
> COOKIE
>
> {code}
> Also we need to update the web-app servlet specification from 2.3 to 3.0
> {code}
> xmlns="http://java.sun.com/xml/ns/javaee;
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>
> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd;>
> {code}
> https://tomcat.apache.org/whichversion.html
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
