Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-10508

Insecure "Remember my Login" cookie on https-sites

    XMLWordPrintable

Details

    Description

      The feature "Remember my Login on this computer" available on the login screen contains a severe security issue: When Jira is installed at the location https://your.host.name/bugs/ (note the encryption via httpS) the JSESSIONID cookie identifying the current user is set for the current webapplication (bugs) as a secure cookie:
      http-header:
      Set-Cookie: JSESSIONID=1DXXXXXXXXXXXXXXXXXXXXC; Path=/bugs; Secure

      When user chooses "Remember my Login on this computer" a second cookie is transmitted that will be returned unencrypted when a similar URL is accessed:

      Set-Cookie: seraph.os.cookie=DlElFlGlHllkasDFskjdfk; Expires=Fri, 29-Jun-2007 16:27:15 GMT; Path=/bugs

      There is a "; Secure" missing here, if login is done via https.

      (hint for debugging: easy to check with Firefox plugin LiveHttpHeaders)

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. SER-72 Cookie secure flag should be set if SSL is in effect.

          • Medium - Medium priority issues
          • RESOLVED

          Suggestion - CONFSERVER-9394 Option to disable "secure" cookie when using HTTPS just for login page

          • Closed

          Activity

            People

              andreask@atlassian.com Andreas Knecht (Inactive)
              4517beae0e65 Olaf Kock
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: