Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-27277

ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE cookie no HttpOnly flag

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • core
    • None

      Jenkins' remember me cookie (ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE) is set without the HttpOnly flag.

      Both the JSESSIONID and the ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE cookies can be used interchangeably to access the application.

          [JENKINS-27277] ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE cookie no HttpOnly flag

          Daniel Beck added a comment -

          I see the same behavior on my instance. Only JSESSIONID has HttpOnly set (SECURITY-120).

          Daniel Beck added a comment - I see the same behavior on my instance. Only JSESSIONID has HttpOnly set (SECURITY-120).

          As with SECURITY-120, this is rejected as a vulnerability, and instead treated as hardening.

          Kohsuke Kawaguchi added a comment - As with SECURITY-120, this is rejected as a vulnerability, and instead treated as hardening.

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          changelog.html
          core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java
          http://jenkins-ci.org/commit/jenkins/b400d1507a25c895f99b983bee713952af5edadd
          Log:
          [FIXED JENKINS-27277]

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: changelog.html core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java http://jenkins-ci.org/commit/jenkins/b400d1507a25c895f99b983bee713952af5edadd Log: [FIXED JENKINS-27277]

          dogfood added a comment -

          Integrated in jenkins_main_trunk #4001
          [FIXED JENKINS-27277] (Revision b400d1507a25c895f99b983bee713952af5edadd)

          Result = SUCCESS
          kohsuke : b400d1507a25c895f99b983bee713952af5edadd
          Files :

          • core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java
          • changelog.html

          dogfood added a comment - Integrated in jenkins_main_trunk #4001 [FIXED JENKINS-27277] (Revision b400d1507a25c895f99b983bee713952af5edadd) Result = SUCCESS kohsuke : b400d1507a25c895f99b983bee713952af5edadd Files : core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java changelog.html

            kohsuke Kohsuke Kawaguchi
            _ikki Luca Carettoni
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: