Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-10508

Insecure "Remember my Login" cookie on https-sites


      The feature "Remember my Login on this computer" available on the login screen contains a severe security issue: When Jira is installed at the location https://your.host.name/bugs/ (note the encryption via httpS) the JSESSIONID cookie identifying the current user is set for the current webapplication (bugs) as a secure cookie:
      Set-Cookie: JSESSIONID=1DXXXXXXXXXXXXXXXXXXXXC; Path=/bugs; Secure

      When user chooses "Remember my Login on this computer" a second cookie is transmitted that will be returned unencrypted when a similar URL is accessed:

      Set-Cookie: seraph.os.cookie=DlElFlGlHllkasDFskjdfk; Expires=Fri, 29-Jun-2007 16:27:15 GMT; Path=/bugs

      There is a "; Secure" missing here, if login is done via https.

      (hint for debugging: easy to check with Firefox plugin LiveHttpHeaders)

            andreask@atlassian.com Andreas Knecht (Inactive)
            4517beae0e65 Olaf Kock
            0 Vote for this issue
            4 Start watching this issue