Tomcat6 Secure cookie attribute enabled gives error: "You do not have permission for this action. Error: Invalid request"

Hello,

We have been using ODK and everything was ok until we did PCI qualys scan and the scan failed because were was no secure cookie attribute in our tomcat6. I added it by manual:

Secure Cookie

By editing /path_to_tomcat/conf/server.xml

And adding the following line: secure="true"

in the HTTP non-secure Connector:

<Connector port="8080" protocol="HTTP/1.1"

connectionTimeout="20000"

redirectPort="8443" secure="true"/>

Now PCI scan PASS but ODK gives error:

"You do not have permission for this action. Error: Invalid request"

If I remove "secure="true"" from server.xml ODK starts to work again, but PCI scan fails.

How can I fix this issue?

What happens if you disable the HTTP connector and just use HTTPS?

Yaw

··· -- Need ODK consultants? Nafundi provides form design, server setup, in-field training, and software development for ODK. Go to https://nafundi.com to get started.

On Tue, Feb 2, 2016 at 2:29 PM, r.pabreza@gmail.com wrote:

Hello,

We have been using ODK and everything was ok until we did PCI qualys scan and the scan failed because were was no secure cookie attribute in our tomcat6. I added it by manual:

Secure Cookie

By editing /path_to_tomcat/conf/server.xml

And adding the following line: secure="true"

in the HTTP non-secure Connector:

<Connector port="8080" protocol="HTTP/1.1"

connectionTimeout="20000"

redirectPort="8443" secure="true"/>

Now PCI scan PASS but ODK gives error:

"You do not have permission for this action. Error: Invalid request"

If I remove "secure="true"" from server.xml ODK starts to work again, but PCI scan fails.

How can I fix this issue?

--
You received this message because you are subscribed to the Google Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

If you are using an SSL certificate (HTTPS), it would typically be
configured for either port 443 or port 8443; in that case, you would have
that entry declare the secure="true" attribute. e.g.,

Port 8080 (as you have configured it above) is NOT using https, it is
incorrect to set secure="true" on that port.

And your PCI scan, if it reports your system as passing by doing this, is
100% broken and entirely pointless, worthless, useless, etc.

··· On Wed, Feb 10, 2016 at 5:17 AM, Yaw Anokwa wrote:

What happens if you disable the HTTP connector and just use HTTPS?

Yaw

Need ODK consultants? Nafundi provides form design, server setup,
in-field training, and software development for ODK. Go to
https://nafundi.com to get started.

On Tue, Feb 2, 2016 at 2:29 PM, r.pabreza@gmail.com wrote:

Hello,

We have been using ODK and everything was ok until we did PCI qualys
scan and the scan failed because were was no secure cookie attribute in our
tomcat6. I added it by manual:

Secure Cookie

By editing /path_to_tomcat/conf/server.xml

And adding the following line: secure="true"

in the HTTP non-secure Connector:

<Connector port="8080" protocol="HTTP/1.1"

connectionTimeout="20000"

redirectPort="8443" secure="true"/>

Now PCI scan PASS but ODK gives error:

"You do not have permission for this action. Error: Invalid request"

If I remove "secure="true"" from server.xml ODK starts to work again,
but PCI scan fails.

How can I fix this issue?

--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
Mitch Sundt
Software Engineer
University of Washington
mitchellsundt@gmail.com