|
||||||||
|
This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira |
||||||||
You received this message because you are subscribed to the Google Groups "Jenkins Issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
For more options, visit https://groups.google.com/d/optout.
Code changed in jenkins
User: Kohsuke Kawaguchi
Path:
src/java/winstone/HostConfiguration.java
http://jenkins-ci.org/commit/winstone/3caa3efc843785d73c66bcb203240708afb587bb
Log:
JENKINS-22358
Do not put session ID in the URL, which is like asking for the session
hijacking attack.
While it is unclear how JENKINS-22358 happens when several reporters
claim they have not disabled cookies, the failure mode clearly indicates
the session ID is added to the URL, so disabling that altogether at the
container level should resolve the problem.
With this change, if the cookie is not enabled, a login will succeed
but one can never login, because as soon as the user logs in, the
browser promptly forgets that session and will appear as a new user.
In the future perhaps it would be desirable to detect the browser that
doesn't support cookie, and warn the user accordingly.