Community
Participate
Working Groups
I noticed that when I set the remember be tick box that the REMEMBER me token is set, this potentially means that until this cookie times out that anybody sniffing on the local network can reconnect as this user. This functionality should only be available on a secure connection. It should could also be argued that allowing any connections on a non secure page should be disabled; but that perhaps is a bug for another day.
Targeted for 3.2
I understand the concern, so in that case shouldn't Hudson be setup to server only with HTTPS?