roel goovaerts created CONNECTORS-1594:
------------------------------------------
Summary: insecure cookie configuration
Key: CONNECTORS-1594
URL: https://issues.apache.org/jira/browse/CONNECTORS-1594
Project: ManifoldCF
Issue Type: Improvement
Components: API
Affects Versions: ManifoldCF 2.12
Reporter: roel goovaerts
The application session cookie "JSESSIONID" does not have Secure and HTTPOnly
flags set.
The application uses an HTTP cookie as session identifier. The Set-Cookie
instruction sent by the application to the browser does not specifically
instruct the browser to only use the cookie on secure communication channels
(HTTPS). As the instruction is missing, browsers will fall back to their
default setting, generally meaning that the cookie will be used on both secure
and insecure communication channels.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
