SM-7 Missing secure flag on session ID In secure HTTPS applications, cookies must have the “Secure” flag set. The “Secure” flag informs browsers that a cookie should only be sent on connections that are encrypted with SSL.
Without the “secure” flag, the non-encrypted HTTP domain for the application receives same-origin access to cookies set by the secure HTTPS domain; browsers will send unencrypted plaintext copies of cookies without the “secure” flag. Because any attacker on the Internet can fake the non-encrypted HTTP domain (it’s the encryption provided by TLS in HTTPS that prevents that from happening), and because cookies usually form the core of the authentication and authorization model of a web application, failing to set the “Secure” flag negates much of the security provided by SSL. RECOMMENDATION: Consult framework documentation to set the “Secure” flag on the cookie. Setting the “Secure” flag is usually simple; the framework may have a configuration setting that ensures all cookies are “Secure”, almost always provides a configuration option to ensure the Session cookie is “Secure”, and will usually offer the “Secure” flag as an option on the line of code that creates any given cookie. -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/69005922-2061-494c-a246-c9cddd91b640%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
