accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Christopher Tubbs (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ACCUMULO-4676) Missing HTTPOnly flags on the JSESSIONID cookie in Monitor UI
Date Wed, 05 Jul 2017 22:24:02 GMT

    [ https://issues.apache.org/jira/browse/ACCUMULO-4676?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16075534#comment-16075534
] 

Christopher Tubbs commented on ACCUMULO-4676:
---------------------------------------------

I don't believe the Accumulo monitor actually uses sessions. I'm pretty sure we only set a
session handler at all, because we didn't realize we could set the ServletContextHandler parameter
to null. However, as long as it's not null, this is a good change to make. Thanks!

Will need to check to see if this would have to be done for ACCUMULO-3005.

Thanks for the contribution! Please reply here with any desired details if you'd like to be
listed as a contributor on our people page (https://accumulo.apache.org/people), or issue
a pull request to https://github.com/apache/accumulo-website/blob/master/pages/people.md referencing
this issue. We hope you'll contribute again!

> Missing HTTPOnly flags on the JSESSIONID cookie in Monitor UI
> -------------------------------------------------------------
>
>                 Key: ACCUMULO-4676
>                 URL: https://issues.apache.org/jira/browse/ACCUMULO-4676
>             Project: Accumulo
>          Issue Type: Improvement
>          Components: monitor
>            Reporter: Toshihiro Suzuki
>            Priority: Minor
>             Fix For: 1.7.4, 1.8.2, 2.0.0
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> Currently, the JSESSIONID cookie in Monitor UI doesn't have HTTPOnly flags set. If the
HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side
JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting,
from trivially capturing the cookie's value via an injected script. A malicious client-side
code can access the JSESSIONID and hijack active sessions to gain unauthorized access to the
application.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message