Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: 2.6.6
    • Fix Version/s: 4.4.0
    • Component/s: Web UI
    • Labels:
      None

      Description

      The application does not use cookies with the HttpOnly or Secure flags.
      1. HttpOnly - This cookie flag prevents the cookie from being accessed from JavaScript. Using the HttpOnly flag when cookies are set helps mitigate the risk of a cross site scripting attack being used to steal authentication cookies.
      2. Secure - The Secure cookie flag prevents cookies from being sent over unencrypted channels (e.g. HTTP rather than HTTPS).

      Recommendation: Our IT recommends that adopting a development policy that includes always setting cookies with the HTTPOnly and Secure flags. For more information, see the following:

      http://en.wikipedia.org/wiki/HTTP_cookie#Secure_and_HttpOnly
      https://www.owasp.org/index.php/SecureFlag
      https://www.owasp.org/index.php/HttpOnly

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                yossis Yossi Shaul
                Reporter:
                amargono amargono
                Assigned QA:
                Anastasiya Muntyan
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: