• State Not Answered
  • Replies 4 replies
  • Subscribers 15 subscribers
  • Views 80 views
  • Users 0 members are here
Related Discussions
Home » Discussions » Best Practices

JSessionID Visible in Appian Cloud Portal creating security concern in Pen Testing

AfiyanMujawar
Certified Associate Developer

Hi Appian Community,

Appian Community 

  

In our recent Pen testing report it was found that JSessionID is Visible in the browser's Developer tools under Inspect functionalities. Creating Security concerns in pen testing report .

Anyone had previously been with such issue or Have any Idea how to handle the scenario.

  

  Discussion posts and replies are publicly visible

Parents
  • 0
    Certified Associate Developer
    AFAIK, If the following two attributes are set for JSessionID cookie, then there is no security issue.
    1. httpOnly
     The JavaScript code can't read cookie
     
    2. HTTPS
    • The browser won’t attach this cookie in the HTTP request
    • The HTTPS request will be encrypted so cookies will be safely sent
    • When sent over HTTPS, all data will be encrypted from the browser and sent to the network. The attacker won’t be able to get the raw data
     
    As suggested by  , you can check with Appian.
Reply
  • 0
    Certified Associate Developer
    AFAIK, If the following two attributes are set for JSessionID cookie, then there is no security issue.
    1. httpOnly
     The JavaScript code can't read cookie
     
    2. HTTPS
    • The browser won’t attach this cookie in the HTTP request
    • The HTTPS request will be encrypted so cookies will be safely sent
    • When sent over HTTPS, all data will be encrypted from the browser and sent to the network. The attacker won’t be able to get the raw data
     
    As suggested by  , you can check with Appian.
Children
No Data
© 2024 Appian. All rights reserved.
We want to hear from you! Submit a review on Gartner or G2.