Duplicate cookies set

Hello Team,

Summary:
When we done some security pen-testing of open-source sonarqube 7.9.2 community edition installed on our project application, we got Duplicate cookies set in sonarqube URL endpoint(/sonarqube/quality_gates/show/), The response contains two or more Set-Cookie headers that attempt to set the same cookie
to different values. Browsers will only accept one of these values, typically the value in the last header.

Impact:
The presence of the duplicate headers may indicate a programming error.

As you can see in this screenshot:

I believe this is a low level severity bug but if you can provide us some fix on it would appreciate it?

Hi Yashraj,

Thanks for your post. However I can not reproduce the duplicate cookies on our side. May I ask if your sonarqube server is behind a proxy ? (Some proxy is configured to enrich headers) The date in your request “15 May 2020” seem long time ago. Just to understand the context, is this request made recently ? and how did you make this request ?

Hello Zipeng_Wu,
Actually yes we have proxy behind our sonarqube, and this request was done through our security team using security tool which was two - three months back…That’s you see the request time as “15 May 2020”.

Hi Yashraj,

In this case the duplication of headers might be due to your proxy setting.

FYI, recently we have fixed a JWT token refresh issue in version 8.4: https://jira.sonarsource.com/browse/SONAR-13372 . With version 8.4+, you should have the Set-Cookie of JWT-SESSION only when your JWT token is expired.

Thank you Zipeng Wu, we appericate the update and will wait until our sonarqube get upgraded to 8.4 version. So if you need you can close the ticket.