-
Bug
-
Resolution: Fixed
-
High
-
3.5.1
-
tomcat/ Jira-WAR-version, https via Apache mod_ssl and mod_jk
-
3.05
-
The feature "Remember my Login on this computer" available on the login screen contains a severe security issue: When Jira is installed at the location https://your.host.name/bugs/ (note the encryption via httpS) the JSESSIONID cookie identifying the current user is set for the current webapplication (bugs) as a secure cookie:
http-header:
Set-Cookie: JSESSIONID=1DXXXXXXXXXXXXXXXXXXXXC; Path=/bugs; Secure
When user chooses "Remember my Login on this computer" a second cookie is transmitted that will be returned unencrypted when a similar URL is accessed:
Set-Cookie: seraph.os.cookie=DlElFlGlHllkasDFskjdfk; Expires=Fri, 29-Jun-2007 16:27:15 GMT; Path=/bugs
There is a "; Secure" missing here, if login is done via https.
(hint for debugging: easy to check with Firefox plugin LiveHttpHeaders)
- is related to
-
SER-72 Cookie secure flag should be set if SSL is in effect.
- RESOLVED
-
CONFSERVER-9394 Option to disable "secure" cookie when using HTTPS just for login page
- Closed