Difference between revisions of "OSSN/OSSN-0036"
< OSSN
(Created page with "__NOTOC__ == Horizon does not set Secure Attribute in cookies == === Summary === Horizon does not, by default, set the Secure Attribute in cookies. === Affected Services /...") |
m (→Contacts / References) |
||
| Line 24: | Line 24: | ||
=== Contacts / References === | === Contacts / References === | ||
| + | * Author: Robert Clark, HP | ||
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0036 | * This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0036 | ||
* Related OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0035 | * Related OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0035 | ||
Latest revision as of 09:47, 22 July 2016
Horizon does not set Secure Attribute in cookies
Summary
Horizon does not, by default, set the Secure Attribute in cookies.
Affected Services / Software
Horizon, Django, SSL, TLS
Discussion
When used in production, Horizon should have the Secure Attribute for cookies set. When this flag is set, browsers will only transfer the cookie over secure channels. Without it set, browsers may transfer the cookie over plain-text channels, potentially exposing the contents to an attacker who can then use the cookie to authenticate with the Horizon server as the original user.
Recommended Actions
Enable secure cookie by setting the SESSION_COOKIE_SECURE config flag to true as described in the Django documentation:
Contacts / References
- Author: Robert Clark, HP
- This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0036
- Related OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0035
- Original LaunchPad Bug : https://bugs.launchpad.net/horizon/+bug/1191051
- OpenStack Security ML : openstack-security@lists.openstack.org
- OpenStack Security Group : https://launchpad.net/~openstack-ossg
