Loading...

XML

Word

Printable

Type: Task
Resolution: Fixed
Priority: L3 - Default
Fix Version/s: 7.12.0, 7.10.7, 7.9.13, 7.11.1, 7.12.0-alpha1
Affects Version/s: None
Component/s: engine, webapp
Labels:
None

Add session cookie security configuration to Webapps
- secure flag is disabled
- http-only flag is enabled

For JBoss EAP adjust web.xml as follows:

<web-app
  version="3.0"
  xmlns="http://java.sun.com/xml/ns/javaee"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
  xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
  ...
  <session-config>
    <cookie-config>
      <http-only>true</http-only>
      <secure>false</secure>
    </cookie-config>
  </session-config>

For WebLogic adjust weblogic.xml as follows:

<?xml version="1.0" encoding="UTF-8"?>
<weblogic-web-app xmlns="http://xmlns.oracle.com/weblogic/weblogic-web-app" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd http://xmlns.oracle.com/weblogic/weblogic-web-app http://xmlns.oracle.com/weblogic/weblogic-web-app/1.0/weblogic-web-app.xsd">
...
<session-descriptor>
  <cookie-http-only>true</cookie-http-only>
  <cookie-secure>false</cookie-secure>
</session-descriptor>

Add integration test that validates presence of the configuration => this is part of CAM-10447

Assignee:: Unassigned
Reporter:: Tassilo Weidner-Mühl
Votes:: 0 Vote for this issue
Watchers:: 1 Start watching this issue

Created:: 12/Jun/19 4:02 PM
Updated:: 27/Jun/19 3:46 PM
Resolved:: 14/Jun/19 9:38 AM

Details

Description

Attachments

Activity

People

Dates

Salesforce