Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-27277

ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE cookie no HttpOnly flag

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Minor
    • Resolution: Fixed
    • Component/s: core
    • Labels:
      None
    • Similar Issues:

      Description

      Jenkins' remember me cookie (ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE) is set without the HttpOnly flag.

      Both the JSESSIONID and the ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE cookies can be used interchangeably to access the application.

        Attachments

          Issue Links

            Activity

            Hide
            danielbeck Daniel Beck added a comment -

            I see the same behavior on my instance. Only JSESSIONID has HttpOnly set (SECURITY-120).

            Show
            danielbeck Daniel Beck added a comment - I see the same behavior on my instance. Only JSESSIONID has HttpOnly set (SECURITY-120).
            Hide
            kohsuke Kohsuke Kawaguchi added a comment -

            As with SECURITY-120, this is rejected as a vulnerability, and instead treated as hardening.

            Show
            kohsuke Kohsuke Kawaguchi added a comment - As with SECURITY-120, this is rejected as a vulnerability, and instead treated as hardening.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Kohsuke Kawaguchi
            Path:
            changelog.html
            core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java
            http://jenkins-ci.org/commit/jenkins/b400d1507a25c895f99b983bee713952af5edadd
            Log:
            [FIXED JENKINS-27277]

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: changelog.html core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java http://jenkins-ci.org/commit/jenkins/b400d1507a25c895f99b983bee713952af5edadd Log: [FIXED JENKINS-27277]
            Hide
            dogfood dogfood added a comment -

            Integrated in jenkins_main_trunk #4001
            [FIXED JENKINS-27277] (Revision b400d1507a25c895f99b983bee713952af5edadd)

            Result = SUCCESS
            kohsuke : b400d1507a25c895f99b983bee713952af5edadd
            Files :

            • core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java
            • changelog.html
            Show
            dogfood dogfood added a comment - Integrated in jenkins_main_trunk #4001 [FIXED JENKINS-27277] (Revision b400d1507a25c895f99b983bee713952af5edadd) Result = SUCCESS kohsuke : b400d1507a25c895f99b983bee713952af5edadd Files : core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java changelog.html

              People

              • Assignee:
                kohsuke Kohsuke Kawaguchi
                Reporter:
                _ikki Luca Carettoni
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: