Antoine Musso created JENKINS-12751:
---------------------------------------
Summary: Jenkins cookie sent without secure flag
Key: JENKINS-12751
URL: https://issues.jenkins-ci.org/browse/JENKINS-12751
Project: Jenkins
Issue Type: Bug
Components: security
Reporter: Antoine Musso
When login in with HTTPS, Jenkins send a cookie which is missing the secure
flag. That flag ask the browser to send the cookie only over HTTPS. Thus, the
cookie might be sent unencrypted whenever someone request the HTTP URL!
As an example, my Jenkins setup listens to both HTTP and HTTPS protocol. The
HTTP one is a redirect to HTTPS for convenience and back compatibility.
I am available on Freenode under nickname hashar during european business hours.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jenkins-ci.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
