When Nexus is configured to serve requests over an https connection, the cookies that are created for JSESSIONID ( by Jetty and Shiro ) do not include the "Secure" flag
It should be possible to configure Nexus to set the "Secure" flag on session cookies as part of configuring Nexus support for SSL.
Nexus should always set the Secure flag on cookies if in response to an inbound SSL request direct to its container ( Jetty). Further a solution should be available when a reverse proxy is fronting Nexus with https and talking to Nexus over http.
A new configuration option has been added: to enable secure session cookies, add "shiro.secureSessionCookies=true" to nexus.properties.
When enabled all Nexus session cookies will be marked as secure, meaning that they will only be sent by the browser to HTTPS pages.
The Sonatype Nexus application cookies are not marked with the secure cookie flag, leaving them vulnerable to exposure and therefore session hijacking.
The secure flag informs browsers that the cookie should only be sent over secure connections. This limits the exposure to network attackers. Following authentication, the JSESSIONID cookie is used to authenticate the user sending requests. Since this cookie is highly sensitive, it must not be sent in plaintext over the network.
Note that even if the site uses TLS, a browser still sends the cookie if the site is requested over HTTP, even if the server does not serve plaintext connections. An attacker performing a man-in-the-middle attack can force HTTP requests that expose the cookie.
- is related to
NEXUS-8387 Cookie secure flag documentation
- is superceded by
NEXUS-7879 generate dynamic Secure parameterized cookies based on HttpServletRequest.isSecure()
- mentioned in