Log Message: |
2 modified patches from Rahul Bhammarker for "Add session tracking mode and make cookie secure" https://issues.apache.org/jira/browse/OFBIZ-6655
Need to enhance security at web-app level.
As per current implementation:
- The cookie containing the session identifier is not secure
- The session identifier is transmitted in the query string of the URL
To fix these issue we have to add following session config otpions in web.xml
{code}
<session-config>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
{code}
Also we need to update the web-app servlet specification from 2.3 to 3.0
{code}
<web-app version="3.0"
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
{code}
https://tomcat.apache.org/whichversion.html
jleroux: these are only the framework+themes+applications patches, with 3 entries not applied
|