In secure HTTPS applications, cookies must have the “Secure” flag set. The “Secure” flag informs browsers that a cookie should only be sent on connections that are encrypted with SSL.
Without the “secure” flag, the non-encrypted HTTP domain for the application receives same-origin access to cookies set by the secure HTTPS domain; browsers will send unencrypted plaintext copies of cookies without the “secure” flag.
RECOMMENDATION: Consult framework documentation to set the “Secure” flag on the cookie. Setting the “Secure” flag is usually simple; the framework may have a configuration setting that ensures all cookies are “Secure”, almost always provides a configuration option to ensure the Session cookie is “Secure”, and will usually offer the “Secure” flag as an option on the line of code that creates any given cookie.
This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e)
You received this message because you are subscribed to the Google Groups "Jenkins Issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.