Hi All, I just want to know if we have any thing can be done to bring this to closure.
Any help that you provide is greatly appreciated. -Mohan On Monday, May 21, 2018 at 6:43:37 PM UTC+5:30, mohan reddy wrote: > > Hi Team, > > I was hoping that you would put me in the correct direction. I have > reached out to support team who work on Jira tickets ( > https://issues.jenkins-ci.org/browse/SECURITY-880) but no luck. > > We'd like to enable the secure flag on session ID's and any help that > would provide is greatly appreciated. > > Below, is the info: > > > In secure HTTPS applications, cookies must have the “Secure” flag set. The > “Secure” flag informs browsers that a cookie should only be sent on > connections that are encrypted with SSL. > > Without the “secure” flag, the non-encrypted HTTP domain for the > application receives same-origin access to cookies set by the secure HTTPS > domain; browsers will send unencrypted plaintext copies of cookies without > the “secure” flag. > > Because any attacker on the Internet can fake the non-encrypted HTTP > domain (it’s the encryption provided by TLS in HTTPS that prevents that > from happening), and because cookies usually form the core of the > authentication and authorization model of a web application, failing to set > the “Secure” flag negates much of the security provided by SSL. > > *RECOMMENDATION*: Consult framework documentation to set the “Secure” > flag on the cookie. Setting the “Secure” flag is usually simple; the > framework may have a configuration setting that ensures all cookies are > “Secure”, almost always provides a configuration option to ensure the > Session cookie is “Secure”, and will usually offer the “Secure” flag as an > option on the line of code that creates any given cookie. > > > > > > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/4197debb-9da6-4cc0-9328-562dfb0b74ce%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
