Session cookie attributes are not set properly in Jenkins

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Session cookie attributes are not set properly in Jenkins

Mohtashim S
It is  observed that, path cookie attribute not set properly in Jenkins.

Set-Cookie: ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE=; Path=/;...Max-Age=0; Secure; HttpOnly 

Problem Description:

Verify that the domain has not been set too loosely. It should only be set for the server that needs to receive the cookie. For example: If the application resides on the server app.mysite.com, then it should be set to ; domain=app.mysite.com and not to ; domain=.mysite.com as this would allow other potentially vulnerable servers to receive the cookie. Path: Verify that the Path attribute has not been set too loosely. Even if the Domain attribute has been configured securely, if the path is set to the root directory / then it can be vulnerable to less secure applications on the same server. For example: If the application resides at /myapp/, then verify that the cookies path is set to ; path=/myapp/ and not to ; path=/. 

Can you please suggest ?  

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/9014308c-dbc7-48cf-9170-248e2219116bn%40googlegroups.com.