[RTFACT-7198] Cookie(s) without "secure" attribute Created: 17/Feb/15  Updated: 14/Nov/17  Resolved: 21/Dec/15

Status: Resolved
Project: Artifactory Binary Repository
Component/s: None
Affects Version/s: 3.5.1
Fix Version/s: 4.4.0

Type: Bug Priority: Normal
Reporter: Justin Gries (Inactive) Assignee: Gidi Shabat
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Relationship
relates to RTFACT-5730 Cookies Set Without HttpOnly or Secur... Resolved
Support Tickets:

Freddie Mac - Support Case

Assigned QA: Anastasiya Muntyan
Internal:
Yes

 Description   

From the ticket opened by a customer:

<description>
The application web server does not set the Secure attribute when generating certain application cookies. Without the Secure flag set, the web server will transmit the cookie in clear text if the application is accessible over an unencrypted channel. Consequently, an attacker can view any sensitive data in the cookie and gain unauthorized access to the application by hijacking a user’s session.
The following cookies were generated without the Secure attribute set.
art-page

This finding was discovered on the following application pages.
/artifactory/webapp/bintraysearch.html
/artifactory/webapp/browserepo.html
</description>

Here's a couple of links describing the nature of the secure attribute/flag:
https://www.owasp.org/index.php/SecureFlag
http://resources.infosecinstitute.com/securing-cookies-httponly-secure-flags/


Generated at Mon Dec 16 11:39:16 UTC 2019 using JIRA 7.6.16#76018-sha1:9ed376192612a49536ac834c64177a0fed6290f5.