[jira] [Updated] (ACCUMULO-4676) Missing HTTPOnly flags on the JSESSIONID cookie in Monitor UI

Christopher Tubbs (JIRA) Wed, 05 Jul 2017 14:59:55 -0700

     [ 
https://issues.apache.org/jira/browse/ACCUMULO-4676?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Christopher Tubbs updated ACCUMULO-4676:
----------------------------------------
    Fix Version/s: 2.0.0
                   1.8.2
                   1.7.4

> Missing HTTPOnly flags on the JSESSIONID cookie in Monitor UI
> -------------------------------------------------------------
>
>                 Key: ACCUMULO-4676
>                 URL: https://issues.apache.org/jira/browse/ACCUMULO-4676
>             Project: Accumulo
>          Issue Type: Improvement
>          Components: monitor
>            Reporter: Toshihiro Suzuki
>            Priority: Minor
>             Fix For: 1.7.4, 1.8.2, 2.0.0
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> Currently, the JSESSIONID cookie in Monitor UI doesn't have HTTPOnly flags 
> set. If the HttpOnly attribute is set on a cookie, then the cookie's value 
> cannot be read or set by client-side JavaScript. This measure can prevent 
> certain client-side attacks, such as cross-site scripting, from trivially 
> capturing the cookie's value via an injected script. A malicious client-side 
> code can access the JSESSIONID and hijack active sessions to gain 
> unauthorized access to the application.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Updated] (ACCUMULO-4676) Missing HTTPOnly flags on the JSESSIONID cookie in Monitor UI

Reply via email to