Normal Description
Remove the <tracking-mode> configuration from the archetype and Go Green CMS web.xmls and properly document this setting in our deployment documentation about the security vulnerability risk that must be cared by system administrator.
The <tracking-mode> element is supported since Servlet Spec 3.0. You can set it to 'COOKIE' to avoid security vulnerability of session ID in URL, but system administrator can set it in a container configuration file such as $CATALINA_BASE/conf/web.xml.
According to [1], "An equivalent effect can be obtained by configuring the session-config/tracking-mode elements in a web application or in the global CATALINA_BASE/conf/web.xml file."
We can emphasize its risk and solution in a separate documentation, but we don't have to put the <tracking-mode> in our products (archetype or gogreen) by ourselves. By not having that by ourselves, we can have simpler setup by default and be compliant with both Servlet spec 2.5 and 3.0.
Anyway, we should remove <tracking-mode> in web.xml file of cms, but we should describe the risk and solution in online documentation site.
Attachments
Issue Links
- is a result of
-
CMS-7561 Regression: session ID is written in the URL first time connecting to CMS
-
- Closed
-