Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-27277

ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE cookie no HttpOnly flag

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • core
    • None

      Jenkins' remember me cookie (ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE) is set without the HttpOnly flag.

      Both the JSESSIONID and the ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE cookies can be used interchangeably to access the application.

          [JENKINS-27277] ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE cookie no HttpOnly flag

          Luca Carettoni created issue -
          Jesse Glick made changes -
          Link New: This issue is blocking SECURITY-120 [ SECURITY-120 ]
          Jesse Glick made changes -
          Status Original: Untriaged [ 10001 ] New: Open [ 1 ]
          Kohsuke Kawaguchi made changes -
          Component/s New: core [ 15593 ]
          Component/s Original: core [ 15738 ]
          Key Original: SECURITY-178 New: JENKINS-27277
          Project Original: Security Issues [ 10180 ] New: Jenkins [ 10172 ]
          Workflow Original: Security v1.2 [ 161097 ] New: JNJira [ 161481 ]
          SCM/JIRA link daemon made changes -
          Resolution New: Fixed [ 1 ]
          Status Original: Open [ 1 ] New: Resolved [ 5 ]
          R. Tyler Croy made changes -
          Workflow Original: JNJira [ 161481 ] New: JNJira + In-Review [ 196639 ]
          Jesse Glick made changes -
          Link New: This issue is duplicated by JENKINS-24840 [ JENKINS-24840 ]
          Daniel Beck made changes -
          Link New: This issue is duplicated by SECURITY-502 [ SECURITY-502 ]

            kohsuke Kohsuke Kawaguchi
            _ikki Luca Carettoni
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: