Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-5730

Cookies Set Without HttpOnly or Secure Flags

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: 2.6.6
    • Fix Version/s: 4.4.0
    • Component/s: Web UI
    • Labels:
      None

      Description

      The application does not use cookies with the HttpOnly or Secure flags.
      1. HttpOnly - This cookie flag prevents the cookie from being accessed from JavaScript. Using the HttpOnly flag when cookies are set helps mitigate the risk of a cross site scripting attack being used to steal authentication cookies.
      2. Secure - The Secure cookie flag prevents cookies from being sent over unencrypted channels (e.g. HTTP rather than HTTPS).

      Recommendation: Our IT recommends that adopting a development policy that includes always setting cookies with the HTTPOnly and Secure flags. For more information, see the following:

      http://en.wikipedia.org/wiki/HTTP_cookie#Secure_and_HttpOnly
      https://www.owasp.org/index.php/SecureFlag
      https://www.owasp.org/index.php/HttpOnly

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              yossis Yossi Shaul
              Reporter:
              amargono amargono
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: