ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE cookie no HttpOnly flag

This issue is archived. You can view it, but you can't modify it. Learn more

XMLWordPrintable

      Jenkins' remember me cookie (ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE) is set without the HttpOnly flag.

      Both the JSESSIONID and the ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE cookies can be used interchangeably to access the application.

            Assignee:
            Kohsuke Kawaguchi
            Reporter:
            Luca Carettoni
            Archiver:
            Jenkins Service Account

              Created:
              Updated:
              Resolved:
              Archived: