[
https://issues.apache.org/jira/browse/OFBIZ-10635?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16673079#comment-16673079 ]
Jacques Le Roux commented on OFBIZ-10635:
-----------------------------------------
Interesting to know:
* You need to ["Periodically manually purge expired cookies and vacuum db" in FF|
https://bugzilla.mozilla.org/show_bug.cgi?id=576347]
* [sessionCookiePathUsesTrailingSlash in Tomcat|
https://tomcat.apache.org/tomcat-9.0-doc/config/context.html] Not an issue in OFBiz OOTB since we don't have similar names for applications. Also as stated in Tomcat doc:
bq. However, it should be noted that RFC 6265, section 8.5 makes clear that path alone should not be view as sufficient to prevent untrusted applications accessing cookies from other applications.
> Correct behaviour of Autologin cookies
> --------------------------------------
>
> Key: OFBIZ-10635
> URL:
https://issues.apache.org/jira/browse/OFBIZ-10635> Project: OFBiz
> Issue Type: Bug
> Components: ALL APPLICATIONS
> Affects Versions: Trunk, Release Branch 16.11, Release Branch 17.12
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Major
>
> With OFBIZ-4959 I have cleaned a bit how the Autologin cookies behave. But I followed the way it was initially done and when you think about it it does not make sense.
> I introduced the "keep-autologin-cookie" attribute in the "webapp" element of the ofbiz-component files. But after I created the securedLoginId cookies for OFBIZ-10307 we no longer need to create Autologin cookies for applications which don't use it.
> So I'll rename "keep-autologin-cookie" to "use-autologin-cookie", and only create Autologin cookies when needed. No need to create and keep Autologin cookies in applications that don't need it.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
Locked
