[
https://issues.apache.org/jira/browse/CONNECTORS-1594?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
roel goovaerts updated CONNECTORS-1594:
---------------------------------------
Summary: insecure cookie configuration vulnerability (was: insecure cookie
configuration)
> insecure cookie configuration vulnerability
> -------------------------------------------
>
> Key: CONNECTORS-1594
> URL: https://issues.apache.org/jira/browse/CONNECTORS-1594
> Project: ManifoldCF
> Issue Type: Improvement
> Components: API
> Affects Versions: ManifoldCF 2.12
> Reporter: roel goovaerts
> Priority: Minor
>
> The application session cookie "JSESSIONID" does not have Secure and HTTPOnly
> flags set.
> The application uses an HTTP cookie as session identifier. The Set-Cookie
> instruction sent by the application to the browser does not specifically
> instruct the browser to only use the cookie on secure communication channels
> (HTTPS). As the instruction is missing, browsers will fall back to their
> default setting, generally meaning that the cookie will be used on both
> secure and insecure communication channels.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
