Default configurations of Apache Shiro send sensitive cookies in HTTPS session without Secure attribute.
This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1.
Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue.
In the affected versions, Shiro-native session manager, as well as Remember-Me manager sends JSESSIONID and rememberMe cookies without secure attribute by default.
The Secure attribute for sensitive cookies in HTTPS sessions is not set.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Shiro | Apache | * | 2.1.1 (excluding) |
| Shiro | Apache | 3.0.0-alpha1 (including) | 3.0.0-alpha1 (including) |