[
http://opencast.jira.com/browse/MH-8659?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=29719#comment-29719
]
Stephen Marquard commented on MH-8659:
--------------------------------------
Here's one scenario:
You have a Matterhorn instance that is accessible on both https and http. You
are a Matterhorn admin, and as you happen to be logging in over an unsecure
wifi connection, you know to use https so that your credentials are protected
and cannot be trivially sniffed. Matterhorn logs you in and gives you a cookie.
Now you inadvertently access Matterhorn on the http URL (say you follow a link
to the media player served on http). Your browser helpfully sends the cookie
previously set for your https session. The evil wifi sniffer now has your
session cookie, and thus has access to an authenticated admin session.
That's the case for setting the Secure flag on the cookie. The HttpOnly
provides protection against certain classes of script attacks.
> Set https cookies with Secure and HttpOnly
> ------------------------------------------
>
> Key: MH-8659
> URL: http://opencast.jira.com/browse/MH-8659
> Project: Matterhorn Project
> Issue Type: Bug
> Components: Administrative Tools
> Affects Versions: 1.3
> Reporter: Stephen Marquard
>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
http://opencast.jira.com/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
_______________________________________________
Matterhorn mailing list
[email protected]
http://lists.opencastproject.org/mailman/listinfo/matterhorn
To unsubscribe please email
[email protected]
_______________________________________________
