[ https://issues.apache.org/jira/browse/CONNECTORS-1594?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16802996#comment-16802996 ]
Karl Wright commented on CONNECTORS-1594: ----------------------------------------- The issue described will not in any way hijack what MCF indexes. The concern is that the session ID can be retrieved by a man-in-the-middle should you be crawling a Broadvision site that has both http and https pages. I would argue that that is in fact a site design issue, not a MCF security vulnerability. > insecure cookie configuration vulnerability > ------------------------------------------- > > Key: CONNECTORS-1594 > URL: https://issues.apache.org/jira/browse/CONNECTORS-1594 > Project: ManifoldCF > Issue Type: Improvement > Components: API > Affects Versions: ManifoldCF 2.12 > Reporter: roel goovaerts > Priority: Minor > > The application session cookie "JSESSIONID" does not have Secure and HTTPOnly > flags set. > The application uses an HTTP cookie as session identifier. The Set-Cookie > instruction sent by the application to the browser does not specifically > instruct the browser to only use the cookie on secure communication channels > (HTTPS). As the instruction is missing, browsers will fall back to their > default setting, generally meaning that the cookie will be used on both > secure and insecure communication channels. -- This message was sent by Atlassian JIRA (v7.6.3#76005)