roel goovaerts created CONNECTORS-1594: ------------------------------------------
Summary: insecure cookie configuration Key: CONNECTORS-1594 URL: https://issues.apache.org/jira/browse/CONNECTORS-1594 Project: ManifoldCF Issue Type: Improvement Components: API Affects Versions: ManifoldCF 2.12 Reporter: roel goovaerts The application session cookie "JSESSIONID" does not have Secure and HTTPOnly flags set. The application uses an HTTP cookie as session identifier. The Set-Cookie instruction sent by the application to the browser does not specifically instruct the browser to only use the cookie on secure communication channels (HTTPS). As the instruction is missing, browsers will fall back to their default setting, generally meaning that the cookie will be used on both secure and insecure communication channels. -- This message was sent by Atlassian JIRA (v7.6.3#76005)