Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-1525 Issue to group security concerns
  3. OFBIZ-6872

Remove all sessionsIds put in URLs

    XMLWordPrintableJSON

Details

    • Sub-task
    • Status: Closed
    • Major
    • Resolution: Done
    • Trunk
    • 16.11.01
    • framework
    • None
    • Bug Crush Event - 21/2/2015

    Description

      We should always use sessionIds in cookies and newer have sessionsIds in URLs. So I will remove all sessionsIds in URLs. There are 2 cases:

      1. the part related to spiders in RequestHandler
      2. HtmlFormRenderer.appendExternalLoginKey() (there is also an appendExternalLoginKey method in MacroFormRenderer class but it's not used OOTB)

      There are also many cases where we show the sessionId in logs (using UtilHttp.getSessionId()) I wonder if we should not keep those commented out or change the debug info level. Also HttpSessionEvent.getSession().getId() is directly used in some places for the same purpose (log)

      Attachments

        Issue Links

          relates to

          Sub-task - The sub-task of the issue OFBIZ-6849 Use only HTTPS in OFBiz

          • Major - Major loss of function.
          • Closed

          Sub-task - The sub-task of the issue OFBIZ-6886 Hide sessionId in logs by default, show them using a properties

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          Activity

            People

              jleroux Jacques Le Roux
              jleroux Jacques Le Roux
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: