Skip to first unread message
kevin...@materna.de
Sep 13, 2013, 7:35:47 AM9/13/13
to scmma...@googlegroups.com
Hello Sebastian,
first of all, thanks for this nice application!
I have two little security issues:
Can you tell me, how can I set the secure and http-only flag options for the JSESSIONID cookie?
I try to add the following to the web.xml in the scm-manager.war:
Futhermore, it is possible to add a login-restriction, so the User will be locked after e.g. 5 unsuccessfull login attempts?
Thanks in advance for your help.
Kind regards,
Kevin
first of all, thanks for this nice application!
I have two little security issues:
Can you tell me, how can I set the secure and http-only flag options for the JSESSIONID cookie?
I try to add the following to the web.xml in the scm-manager.war:
<session-config>And add the sessionHandler to the server-config.xml under the Line "New id="scm-webapp" class="org.eclipse.jetty.webapp.WebAppContext"
<session-timeout>30</session-timeout>
<cookie-config> <secure>true</secure>
<http-only>true</http-only>
</cookie-config> </session-config>
Unfortunately both take no effect.<Get name="sessionHandler"> <Get name="sessionManager"> <Set name="secureCookies">true</Set>
<Set name="httpOnly">true</Set>
</Get> </Get>
Futhermore, it is possible to add a login-restriction, so the User will be locked after e.g. 5 unsuccessfull login attempts?
Thanks in advance for your help.
Kind regards,
Kevin
Sebastian Sdorra
Sep 13, 2013, 9:20:57 AM9/13/13
to scmma...@googlegroups.com
Hi,
Changing the server-config.xml as you described above works for me. After changing the server-config.xml the http only flag is delivered with the cookie. Here is the complete WebAppContext of my installation:
<New id="scm-webapp" class="org.eclipse.jetty.webapp.WebAppContext">
<Set name="contextPath">/</Set>
<Set name="war"><SystemProperty name="basedir" default="."/>/var/webapp/scm-webapp.war</Set>
<!-- disable directory listings -->
<Call name="setInitParameter">
<Arg>org.eclipse.jetty.servlet.Default.dirAllowed</Arg>
<Arg>false</Arg>
</Call>
<Get name="sessionHandler">
<Get name="sessionManager">
<Set name="secureCookies">true</Set>
<Set name="httpOnly">true</Set>
</Get>
</Get>
</New>
Changing the web.xml is not necessary. The login restriction is planned for the upcoming release 1.34.
Sebastian
--
You received this message because you are subscribed to the Google Groups "scmmanager" group.
To unsubscribe from this group and stop receiving emails from it, send an email to scmmanager+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Reply all
Reply to author
Forward
0 new messages