31 lines
1.2 KiB
Plaintext
31 lines
1.2 KiB
Plaintext
Horizon does not set Secure Attribute in cookies
|
|
---
|
|
|
|
### Summary ###
|
|
Horizon does not, by default, set the Secure Attribute in cookies.
|
|
|
|
### Affected Services / Software ###
|
|
Horizon, Django, SSL, TLS
|
|
|
|
### Discussion ###
|
|
When used in production, Horizon should have the Secure Attribute for
|
|
cookies set. When this flag is set, browsers will only transfer the
|
|
cookie over secure channels. Without it set, browsers may transfer the
|
|
cookie over plain-text channels, potentially exposing the contents to an
|
|
attacker who can then use the cookie to authenticate with the Horizon
|
|
server as the original user.
|
|
|
|
### Recommended Actions ###
|
|
Enable secure cookie by setting the SESSION_COOKIE_SECURE config flag to
|
|
true as described in the Django documentation:
|
|
|
|
https://docs.djangoproject.com/en/dev/ref/settings/#std:setting-SESSION_COOKIE_SECURE
|
|
|
|
### Contacts / References ###
|
|
Author: Robert Clark, HP
|
|
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0036
|
|
Related OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0035
|
|
Original LaunchPad Bug : https://bugs.launchpad.net/horizon/+bug/1191051
|
|
OpenStack Security ML : openstack-security@lists.openstack.org
|
|
OpenStack Security Group : https://launchpad.net/~openstack-ossg
|