accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Toshihiro Suzuki (JIRA)" <>
Subject [jira] [Commented] (ACCUMULO-4676) Missing HTTPOnly flags on the JSESSIONID cookie in Monitor UI
Date Thu, 06 Jul 2017 10:28:00 GMT


Toshihiro Suzuki commented on ACCUMULO-4676:

Thanks [~ctubbsii], I think "/shell" (org.apache.accumulo.monitor.servlets.ShellServlet) uses
sessions, so I thought the JSESSIONID cookie need HTTPOnly flags set.

Also, I would like to be listed as a contributor, so I'll issue a pull request to

> Missing HTTPOnly flags on the JSESSIONID cookie in Monitor UI
> -------------------------------------------------------------
>                 Key: ACCUMULO-4676
>                 URL:
>             Project: Accumulo
>          Issue Type: Improvement
>          Components: monitor
>            Reporter: Toshihiro Suzuki
>            Assignee: Toshihiro Suzuki
>            Priority: Minor
>             Fix For: 1.7.4, 1.8.2, 2.0.0
>          Time Spent: 50m
>  Remaining Estimate: 0h
> Currently, the JSESSIONID cookie in Monitor UI doesn't have HTTPOnly flags set. If the
HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side
JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting,
from trivially capturing the cookie's value via an injected script. A malicious client-side
code can access the JSESSIONID and hijack active sessions to gain unauthorized access to the

This message was sent by Atlassian JIRA

View raw message