OFBiz OFBiz - Notifications

[jira] [Comment Edited] (OFBIZ-6655) Add session tracking mode and make cookie secure

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Nicolas Malin (Jira)
Reply | Threaded
Open this post in threaded view
|

[jira] [Comment Edited] (OFBIZ-6655) Add session tracking mode and make cookie secure

Nicolas Malin (Jira)

    [ https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16180373#comment-16180373 ]

Jacques Le Roux edited comment on OFBIZ-6655 at 9/27/17 12:37 PM:
------------------------------------------------------------------

Hi Deepak,

At r1722379 you reverted r1719762 (actually r1719939). You were right to do so for  RequesHandler but not for the other files. Because it now does not handle security for cookies which are not session cookies. It's minor but still a risk, notably for autoLoginCookie

At r1809687 I reapplied r1719762 for the other files to make other than session cookies secure. I will not backport. More to come soon...

At r1809838 I slightly improved r1809687 by not securing cookies just before deleting them


was (Author: jacques.le.roux):
Hi Deepak,

At r1722379 you reverted r1719762 (actually r1719939). You were right to do so for  RequesHandler but not for the other files. Because it now does not handle security for cookies which are not session cookies. It's minor but still a risk, notably for autoLoginCookie

At r1809687 I reapplied r1719762 for the other files to make other than session cookies secure. I will not backport. More to come soon...

> Add session tracking mode and make cookie secure
> ------------------------------------------------
>
>                 Key: OFBIZ-6655
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-6655
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: ALL COMPONENTS
>    Affects Versions: Trunk, 14.12.01
>            Reporter: Deepak Dixit
>            Assignee: Jacques Le Roux
>             Fix For: 14.12.01, 15.12.01
>
>         Attachments: OFBIA-6655.applications.patch, OFBIZ-6655.framework_themes.patch, OFBIZ-6655-programmatically-session-cookies-plugins.patch, OFBIZ-6655-programmatically-session-cookies-trunk.patch, OFBIZ-6655_specialpurpose_leftover.patch, sessionConifg_ecommerce.patch
>
>
> Need to enhance security at web-app level.
> As per current implementation:
> - The cookie containing the session identifier is not secure
> - The session identifier is transmitted in the query string of the URL
> To fix these issue we have to add following session config otpions in web.xml
> {code}
> <session-config>
> <cookie-config>
>    <http-only>true</http-only>
>    <secure>true</secure>
> </cookie-config>
> <tracking-mode>COOKIE</tracking-mode>
> </session-config>
> {code}
> Also we need to update the web-app servlet specification from 2.3 to 3.0
> {code}
> <web-app version="3.0"
>         xmlns="http://java.sun.com/xml/ns/javaee"
>         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>                             http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
> {code}
> https://tomcat.apache.org/whichversion.html



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
Free forum by Nabble Edit this page