SM-7 Missing secure flag on session ID In secure HTTPS applications, cookies must have the “Secure” flag set. The “Secure” flag informs browsers that a cookie should only be sent on connections that are encrypted with SSL.
Without the “secure” flag, the non-encrypted HTTP domain for the application receives same-origin access to cookies set by the secure HTTPS domain; browsers will send unencrypted plaintext copies of cookies without the “secure” flag. Because any attacker on the Internet can fake the non-encrypted HTTP domain (it’s the encryption provided by TLS in HTTPS that prevents that from happening), and because cookies usually form the core of the authentication and authorization model of a web application, failing to set the “Secure” flag negates much of the security provided by SSL. RECOMMENDATION: Consult framework documentation to set the “Secure” flag on the cookie. Setting the “Secure” flag is usually simple; the framework may have a configuration setting that ensures all cookies are “Secure”, almost always provides a configuration option to ensure the Session cookie is “Secure”, and will usually offer the “Secure” flag as an option on the line of code that creates any given cookie. -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/69005922-2061-494c-a246-c9cddd91b640%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
