Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-7800

add configuration to set Secure flag on cookies

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.11
    • Fix Version/s: 2.11.1, 3.0.0-m3
    • Component/s: Transport
    • Labels:
    • Sprint:
      Sprint 32

      Description

      When Nexus is configured to serve requests over an https connection, the cookies that are created for JSESSIONID ( by Jetty and Shiro ) do not include the "Secure" flag

      https://www.owasp.org/index.php/SecureFlag
      http://resources.infosecinstitute.com/securing-cookies-httponly-secure-flags/

      It should be possible to configure Nexus to set the "Secure" flag on session cookies as part of configuring Nexus support for SSL.

      was: Nexus should always set the Secure flag on cookies if in response to an inbound SSL request direct to its container ( Jetty). Further a solution should be available when a reverse proxy is fronting Nexus with https and talking to Nexus over http.


      A new configuration option has been added: to enable secure session cookies, add "shiro.secureSessionCookies=true" to nexus.properties.

      When enabled all Nexus session cookies will be marked as secure, meaning that they will only be sent by the browser to HTTPS pages.


      Summary:

      The Sonatype Nexus application cookies are not marked with the secure cookie flag, leaving them vulnerable to exposure and therefore session hijacking.

      The secure flag informs browsers that the cookie should only be sent over secure connections. This limits the exposure to network attackers. Following authentication, the JSESSIONID cookie is used to authenticate the user sending requests. Since this cookie is highly sensitive, it must not be sent in plaintext over the network.

      Note that even if the site uses TLS, a browser still sends the cookie if the site is requested over HTTP, even if the server does not serve plaintext connections. An attacker performing a man-in-the-middle attack can force HTTP requests that expose the cookie.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              jtom Joe Tom
              Reporter:
              plynch Peter Lynch
              Last Updated By:
              Peter Lynch Peter Lynch
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title