svn commit: r1812540 - in /ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control: RequestHandler.java WebAppServletContextListener.java

Author: jleroux
Date: Wed Oct 18 15:01:04 2017
New Revision: 1812540

URL: http://svn.apache.org/viewvc?rev=1812540&view=rev
Log:
Improved: Enhance cookies security
(OFBIZ-9865)

Working on OFBIZ-6766, I was reading
https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#SameSite_Attribute 
and decided to slightly improve our cookies security

Modified:
    ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
    ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/WebAppServletContextListener.java

Modified: ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java?rev=1812540&r1=1812539&r2=1812540&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java (original)
+++ ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java Wed Oct 18 15:01:04 2017
@@ -978,6 +978,8 @@ public class RequestHandler {
         // https://wiki.mozilla.org/Security/Features/XSS_Filter 
         // https://bugzilla.mozilla.org/show_bug.cgi?id=528661
         resp.addHeader("X-XSS-Protection","1; mode=block");
+        
+        resp.setHeader("Set-Cookie", "SameSite=strict"); // TODO maybe one day the ServletContext will allow to do that, then better in WebAppServletContextListener
 
         try {
             if (Debug.verboseOn()) Debug.logVerbose("Rendering view [" + nextPage + "] of type [" + viewMap.type + "]", module);

Modified: ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/WebAppServletContextListener.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/WebAppServletContextListener.java?rev=1812540&r1=1812539&r2=1812540&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/WebAppServletContextListener.java (original)
+++ ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/WebAppServletContextListener.java Wed Oct 18 15:01:04 2017
@@ -27,6 +27,8 @@ import javax.servlet.SessionCookieConfig
 import javax.servlet.SessionTrackingMode;
 import javax.servlet.annotation.WebListener;
 
+import org.apache.ofbiz.base.util.UtilProperties;
+
 @WebListener
 public class WebAppServletContextListener implements ServletContextListener {
 
@@ -40,6 +42,11 @@ public class WebAppServletContextListene
         SessionCookieConfig sessionCookieConfig = servletContext.getSessionCookieConfig();
         sessionCookieConfig.setHttpOnly(true);
         sessionCookieConfig.setSecure(true);
+        sessionCookieConfig.setComment("Created by Apache OFBiz WebAppServletContextListener");
+        String cookieDomain = UtilProperties.getPropertyValue("url", "cookie.domain", "");
+        if (cookieDomain.length() > 0) sessionCookieConfig.setDomain(cookieDomain);
+        sessionCookieConfig.setMaxAge(60 * 60 * 24 * 365);
+        sessionCookieConfig.setPath(servletContext.getContextPath());
     }
 
     /* (non-Javadoc)