Security enhancement

> Hi Dev,
>
> I would like to propose some security enhancement at web-app level.
> IMO we have to enhance sessionId and cookie tracking. As per current
> implementation:
> - The cookie containing the session identifier is not secure
> - The session identifier is transmitted in the query string of the URL
>
> We can add following configuration in web.xml to fix the above issue:
>
> <session-config>
>         <cookie-config>
>             <http-only>true</http-only>
>             <secure>true</secure>
>         </cookie-config>
>         <tracking-mode>COOKIE</tracking-mode>
> </session-config>
>
> To use cookie-config and tracking-mode we need to update the servlet
> specification to 3.0
> https://tomcat.apache.org/whichversion.html
>
>
> Thanks & Regards
> —
> Deepak Dixit
>
>
>

> Servlet spec 3.0 is implemented in Tomcat versions 7.x. In trunk (and
> release branch 14.x) we use Tomcat 7.0.64.
>
> So this can be applied in future release branches as well as in r14.x
>
> Best regards,
>
> Pierre Smits
>
> *OFBiz Extensions Marketplace*
> http://oem.ofbizci.net
>
> On Thu, Sep 24, 2015 at 11:27 AM, Deepak Dixit <
> [hidden email]> wrote:
>
>> Hi Dev,
>>
>> I would like to propose some security enhancement at web-app level.
>> IMO we have to enhance sessionId and cookie tracking. As per current
>> implementation:
>> - The cookie containing the session identifier is not secure
>> - The session identifier is transmitted in the query string of the URL
>>
>> We can add following configuration in web.xml to fix the above issue:
>>
>> <session-config>
>>          <cookie-config>
>>              <http-only>true</http-only>
>>              <secure>true</secure>
>>          </cookie-config>
>>          <tracking-mode>COOKIE</tracking-mode>
>> </session-config>
>>
>> To use cookie-config and tracking-mode we need to update the servlet
>> specification to 3.0
>> https://tomcat.apache.org/whichversion.html
>>
>>
>> Thanks & Regards
>> —
>> Deepak Dixit
>>
>>
>>

> On Sep 24, 2015, at 5:35 PM, Jacques Le Roux <[hidden email]> wrote:
>
> That's quite a good news, thanks Deepak and Pierre!
>
> Jacques
>
> Le 24/09/2015 11:44, Pierre Smits a écrit :
>> Servlet spec 3.0 is implemented in Tomcat versions 7.x. In trunk (and
>> release branch 14.x) we use Tomcat 7.0.64.
>>
>> So this can be applied in future release branches as well as in r14.x
>>
>> Best regards,
>>
>> Pierre Smits
>>
>> *OFBiz Extensions Marketplace*
>> http://oem.ofbizci.net
>>
>> On Thu, Sep 24, 2015 at 11:27 AM, Deepak Dixit <
>> [hidden email]> wrote:
>>
>>> Hi Dev,
>>>
>>> I would like to propose some security enhancement at web-app level.
>>> IMO we have to enhance sessionId and cookie tracking. As per current
>>> implementation:
>>> - The cookie containing the session identifier is not secure
>>> - The session identifier is transmitted in the query string of the URL
>>>
>>> We can add following configuration in web.xml to fix the above issue:
>>>
>>> <session-config>
>>>         <cookie-config>
>>>             <http-only>true</http-only>
>>>             <secure>true</secure>
>>>         </cookie-config>
>>>         <tracking-mode>COOKIE</tracking-mode>
>>> </session-config>
>>>
>>> To use cookie-config and tracking-mode we need to update the servlet
>>> specification to 3.0
>>> https://tomcat.apache.org/whichversion.html
>>>
>>>
>>> Thanks & Regards
>>> —
>>> Deepak Dixit
>>>
>>>
>>>