Hi All, I just want to know if we have any thing can be done to bring this to closure.
Any help that you provide is greatly appreciated. -Mohan On Monday, May 21, 2018 at 6:43:37 PM UTC+5:30, mohan reddy wrote: > > Hi Team, > > I was hoping that you would put me in the correct direction. I have > reached out to support team who work on Jira tickets ( > https://issues.jenkins-ci.org/browse/SECURITY-880) but no luck. > > We'd like to enable the secure flag on session ID's and any help that > would provide is greatly appreciated. > > Below, is the info: > > > In secure HTTPS applications, cookies must have the “Secure” flag set. The > “Secure” flag informs browsers that a cookie should only be sent on > connections that are encrypted with SSL. > > Without the “secure” flag, the non-encrypted HTTP domain for the > application receives same-origin access to cookies set by the secure HTTPS > domain; browsers will send unencrypted plaintext copies of cookies without > the “secure” flag. > > Because any attacker on the Internet can fake the non-encrypted HTTP > domain (it’s the encryption provided by TLS in HTTPS that prevents that > from happening), and because cookies usually form the core of the > authentication and authorization model of a web application, failing to set > the “Secure” flag negates much of the security provided by SSL. > > *RECOMMENDATION*: Consult framework documentation to set the “Secure” > flag on the cookie. Setting the “Secure” flag is usually simple; the > framework may have a configuration setting that ensures all cookies are > “Secure”, almost always provides a configuration option to ensure the > Session cookie is “Secure”, and will usually offer the “Secure” flag as an > option on the line of code that creates any given cookie. > > > > > > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/4197debb-9da6-4cc0-9328-562dfb0b74ce%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
