[QPID-7386] [Java Broker, WMC] Session Cookie should set the HttpOnly flag - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: qpid-java-6.0.5, qpid-java-6.1
Component/s: Broker-J
Labels:
None

Description

Cookies that do not have the HttpOnly flag set can be accessed via javascript. Thus should there be a XSS vulnerability the malicious script could access the session cookie to hijack the session.
See OWASP for more information.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

QPID-7386.diff
11/Aug/16 11:49
0.9 kB
Lorenz Quack

Activity

People

Assignee:: Unassigned

Reporter:: Lorenz Quack

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 11/Aug/16 11:48

Updated:: 17/Nov/16 13:05

Resolved:: 11/Aug/16 11:54