[
https://issues.apache.org/jira/browse/CONNECTORS-1594?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16802996#comment-16802996
]
Karl Wright commented on CONNECTORS-1594:
-----------------------------------------
The issue described will not in any way hijack what MCF indexes. The concern
is that the session ID can be retrieved by a man-in-the-middle should you be
crawling a Broadvision site that has both http and https pages. I would argue
that that is in fact a site design issue, not a MCF security vulnerability.
> insecure cookie configuration vulnerability
> -------------------------------------------
>
> Key: CONNECTORS-1594
> URL: https://issues.apache.org/jira/browse/CONNECTORS-1594
> Project: ManifoldCF
> Issue Type: Improvement
> Components: API
> Affects Versions: ManifoldCF 2.12
> Reporter: roel goovaerts
> Priority: Minor
>
> The application session cookie "JSESSIONID" does not have Secure and HTTPOnly
> flags set.
> The application uses an HTTP cookie as session identifier. The Set-Cookie
> instruction sent by the application to the browser does not specifically
> instruct the browser to only use the cookie on secure communication channels
> (HTTPS). As the instruction is missing, browsers will fall back to their
> default setting, generally meaning that the cookie will be used on both
> secure and insecure communication channels.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
