[
https://issues.apache.org/jira/browse/OFBIZ-6655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15105952#comment-15105952 ]
Jacques Le Roux commented on OFBIZ-6655:
----------------------------------------
Hi Deepak,
You
{quote}
Reverted r1719762, as system fails to find the session cookie for ecommerce, will debug it in more detail but for now to fix this issue reverting r1719762 at r#1722379.
{quote}
Then you applied r1724940. Could you please explain in detail the issue you got with r1719762 that you did not get with r1724940? Was this not related to OFBIZ-6111 ? Or javascript not able to access the session cookie? Did you test using an OFBiz localhost instance? This questions because we will ultimately need to secure all OFBiz cookies, not only the session cookies.
There are more considerations to take into account, notably that I have introduced _strict-transport-security_ with r1719660 (OFBIZ-6766).
The point is you should set _<secure>true</secure>_ ONLY if you are only serving https content, for mixed content this setting in NOT recommended. But with the introduction of _strict-transport-security_ things are blurred.
Anyway I will soon open a new Jira for that and other related points or maybe simply another post to the "Performance over security, is that reasonable?" thread.
> Add session tracking mode and make cookie secure
> ------------------------------------------------
>
> Key: OFBIZ-6655
> URL:
https://issues.apache.org/jira/browse/OFBIZ-6655> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
> Affects Versions: Trunk, 14.12.01
> Reporter: Deepak Dixit
> Assignee: Deepak Dixit
> Fix For: 14.12.01, Upcoming Branch, Release Branch 15.12
>
> Attachments: OFBIA-6655.applications.patch, OFBIZ-6655.framework_themes.patch, OFBIZ-6655_specialpurpose_leftover.patch, sessionConifg_ecommerce.patch
>
>
> Need to enhance security at web-app level.
> As per current implementation:
> - The cookie containing the session identifier is not secure
> - The session identifier is transmitted in the query string of the URL
> To fix these issue we have to add following session config otpions in web.xml
> {code}
> <session-config>
> <cookie-config>
> <http-only>true</http-only>
> <secure>true</secure>
> </cookie-config>
> <tracking-mode>COOKIE</tracking-mode>
> </session-config>
> {code}
> Also we need to update the web-app servlet specification from 2.3 to 3.0
> {code}
> <web-app version="3.0"
> xmlns="
http://java.sun.com/xml/ns/javaee"
> xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance"
> xsi:schemaLocation="
http://java.sun.com/xml/ns/javaee>
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
> {code}
>
https://tomcat.apache.org/whichversion.html--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
Locked
