412488 – SPRING_SECURITY_REMEMBER_ME_COOKIE set on non secure connections

Bug 412488 - SPRING_SECURITY_REMEMBER_ME_COOKIE set on non secure connections

Summary: SPRING_SECURITY_REMEMBER_ME_COOKIE set on non secure connections

Status:	ASSIGNED

Alias:	None

Product:	Hudson
Classification:	Technology
Component:	Core (show other bugs)
Version:	3.0.1
Hardware:	PC Mac OS X

Importance:	P2 major (vote)
Target Milestone:	---
Assignee:	Winston Prakash
QA Contact:	Geoff Waymark

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2013-07-08 05:42 EDT by Gerard Davison
Modified:	2014-06-17 14:42 EDT (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Gerard Davison

2013-07-08 05:42:30 EDT

I noticed that when I set the remember be tick box that the REMEMBER me token is set, this potentially means that until this cookie times out that anybody sniffing on the local network can reconnect as this user.

This functionality should only be available on a secure connection. It should could also be argued that allowing any connections on a non secure page should be disabled; but that perhaps is a bug for another day.

Comment 1 Duncan Mills

2013-09-06 05:16:25 EDT

Targeted for 3.2

Comment 2 Winston Prakash

2014-05-22 18:08:02 EDT

I understand the concern, so in that case shouldn't Hudson be setup to server only with HTTPS?