[jira] [Created] (ACCUMULO-4676) Missing HTTPOnly flags on the JSESSIONID cookie in Monitor UI

Toshihiro Suzuki (JIRA) Mon, 03 Jul 2017 22:05:27 -0700

Toshihiro Suzuki created ACCUMULO-4676:
------------------------------------------


             Summary: Missing HTTPOnly flags on the JSESSIONID cookie in 
Monitor UI
                 Key: ACCUMULO-4676
                 URL: https://issues.apache.org/jira/browse/ACCUMULO-4676
             Project: Accumulo
          Issue Type: Improvement
          Components: monitor
            Reporter: Toshihiro Suzuki
            Priority: Minor


Currently, the JSESSIONID cookie in Monitor UI doesn't have HTTPOnly flags set. 
If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be 
read or set by client-side JavaScript. This measure can prevent certain 
client-side attacks, such as cross-site scripting, from trivially capturing the 
cookie's value via an injected script. A malicious client-side code can access 
the JSESSIONID and hijack active sessions to gain unauthorized access to the 
application.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Created] (ACCUMULO-4676) Missing HTTPOnly flags on the JSESSIONID cookie in Monitor UI

Reply via email to