Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-7198

Cookie(s) without "secure" attribute

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: 3.5.1
    • Fix Version/s: 4.4.0
    • Component/s: None
    • Labels:
      None

      Description

      From the ticket opened by a customer:

      <description>
      The application web server does not set the Secure attribute when generating certain application cookies. Without the Secure flag set, the web server will transmit the cookie in clear text if the application is accessible over an unencrypted channel. Consequently, an attacker can view any sensitive data in the cookie and gain unauthorized access to the application by hijacking a user’s session.
      The following cookies were generated without the Secure attribute set.
      art-page

      This finding was discovered on the following application pages.
      /artifactory/webapp/bintraysearch.html
      /artifactory/webapp/browserepo.html
      </description>

      Here's a couple of links describing the nature of the secure attribute/flag:
      https://www.owasp.org/index.php/SecureFlag
      http://resources.infosecinstitute.com/securing-cookies-httponly-secure-flags/

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              gidis Gidi Shabat
              Reporter:
              justing Justin Gries (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: