[
https://issues.apache.org/jira/browse/OFBIZ-6867?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15134153#comment-15134153 ]
Jacques Le Roux commented on OFBIZ-6867:
----------------------------------------
Completed at r1728660 (no functional change, just get rid of the "cookies" now unused variable)
> Remove forceManualJsessionid feature
> ------------------------------------
>
> Key: OFBIZ-6867
> URL:
https://issues.apache.org/jira/browse/OFBIZ-6867> Project: OFBiz
> Issue Type: Sub-task
> Components: framework
> Affects Versions: Trunk
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Fix For: Upcoming Branch
>
>
> This follows this [Scott's comment|
https://issues.apache.org/jira/browse/OFBIZ-6111?focusedCommentId=15076677] in OFBIZ-6111.
> I totally agree and will also create an issue to remove forceHttpSession. We should always use HTTPS as explained at OFBIZ-6849
> I will also create an issue to get rid of the session-cookie-accepted feature. When the present issue will be done, it will no longer be used OOTB and anyway should not be needed
> We should always use sessionIds in cookies and newer have sessionsIds in URLs. So I will create another issue to remove all sessionsIds in URLs. There are 2 cases:
> # the part related to spiders in RequestHandler
> # HtmlFormRenderer.appendExternalLoginKey() (there is also an appendExternalLoginKey mtehod in MacroFormRenderer class but it's not used OOTB)
> There are also many cases where we show the sessionId in logs (using UtilHttp.getSessionId()) I wonder if we should not keep those commented out or change the debug info level. Also HttpSessionEvent.getSession().getId() is directly used in some places for the same purpose (log)
> These are more improvement sub-tasks but we will decide later if we want to backport them because it's security issues but could have an impact on custom projects based on releases.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
Locked
