We have been using ODK and everything was ok until we did PCI qualys scan and the scan failed because were was no secure cookie attribute in our tomcat6. I added it by manual:
Secure Cookie
By editing /path_to_tomcat/conf/server.xml
And adding the following line: secure="true"
in the HTTP non-secure Connector:
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" secure="true"/>
Now PCI scan PASS but ODK gives error:
"You do not have permission for this action. Error: Invalid request"
If I remove "secure="true"" from server.xml ODK starts to work again, but PCI scan fails.
What happens if you disable the HTTP connector and just use HTTPS?
Yaw
···
--
Need ODK consultants? Nafundi provides form design, server setup,
in-field training, and software development for ODK. Go to
https://nafundi.com to get started.
We have been using ODK and everything was ok until we did PCI qualys scan and the scan failed because were was no secure cookie attribute in our tomcat6. I added it by manual:
Secure Cookie
By editing /path_to_tomcat/conf/server.xml
And adding the following line: secure="true"
in the HTTP non-secure Connector:
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" secure="true"/>
Now PCI scan PASS but ODK gives error:
"You do not have permission for this action. Error: Invalid request"
If I remove "secure="true"" from server.xml ODK starts to work again, but PCI scan fails.
If you are using an SSL certificate (HTTPS), it would typically be
configured for either port 443 or port 8443; in that case, you would have
that entry declare the secure="true" attribute. e.g.,
Port 8080 (as you have configured it above) is NOT using https, it is
incorrect to set secure="true" on that port.
And your PCI scan, if it reports your system as passing by doing this, is
100% broken and entirely pointless, worthless, useless, etc.
···
On Wed, Feb 10, 2016 at 5:17 AM, Yaw Anokwa wrote:
What happens if you disable the HTTP connector and just use HTTPS?
Yaw
Need ODK consultants? Nafundi provides form design, server setup,
in-field training, and software development for ODK. Go to https://nafundi.com to get started.
We have been using ODK and everything was ok until we did PCI qualys
scan and the scan failed because were was no secure cookie attribute in our
tomcat6. I added it by manual:
Secure Cookie
By editing /path_to_tomcat/conf/server.xml
And adding the following line: secure="true"
in the HTTP non-secure Connector:
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" secure="true"/>
Now PCI scan PASS but ODK gives error:
"You do not have permission for this action. Error: Invalid request"
If I remove "secure="true"" from server.xml ODK starts to work again,
but PCI scan fails.