[
https://issues.apache.org/jira/browse/ACCUMULO-4676?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Christopher Tubbs resolved ACCUMULO-4676.
-----------------------------------------
Resolution: Fixed
> Missing HTTPOnly flags on the JSESSIONID cookie in Monitor UI
> -------------------------------------------------------------
>
> Key: ACCUMULO-4676
> URL: https://issues.apache.org/jira/browse/ACCUMULO-4676
> Project: Accumulo
> Issue Type: Improvement
> Components: monitor
> Reporter: Toshihiro Suzuki
> Assignee: Toshihiro Suzuki
> Priority: Minor
> Fix For: 1.7.4, 1.8.2, 2.0.0
>
> Time Spent: 50m
> Remaining Estimate: 0h
>
> Currently, the JSESSIONID cookie in Monitor UI doesn't have HTTPOnly flags
> set. If the HttpOnly attribute is set on a cookie, then the cookie's value
> cannot be read or set by client-side JavaScript. This measure can prevent
> certain client-side attacks, such as cross-site scripting, from trivially
> capturing the cookie's value via an injected script. A malicious client-side
> code can access the JSESSIONID and hijack active sessions to gain
> unauthorized access to the application.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
