The "message" cookie is not marked as "secure"
Bug #1369870 reported by
Zhang Yun
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
Won't Fix
|
Medium
|
Unassigned |
Bug Description
The message cookie is not marked as 'secure', as identified by the following security report. If might contain sensitive information, and would benefit from being marked as secure.
---
Affected URL: https:/
Affected Entity: messages, django_timezone, horizon_pagesize, and horizon_language
Risk: It may be possible to steal user and session information (cookies) that was sent during an encrypted session
Causes: The web application sends non-secure cookies over SSL
Recommend Fix: Add the 'Secure' attribute to all sensitive cookies
description: | updated |
description: | updated |
tags: | added: security |
Changed in horizon: | |
status: | New → Confirmed |
importance: | Undecided → Medium |
summary: |
- The cookies for messages, django_timezone,horizon_pagesize, and - horizon_language are not marked as "secure" + The "message" cookie is not marked as "secure" |
description: | updated |
Changed in horizon: | |
assignee: | nobody → Swati Shukla (swati-shukla1) |
Changed in horizon: | |
assignee: | Swati Shukla (swati-shukla1) → nobody |
Changed in horizon: | |
assignee: | nobody → Kent Wang (k.wang) |
To post a comment you must log in.
Zhang Yun, based on our other conversation I think you might have misstated the issue for this bug.
I think the concern is that the cookies for messages, django_ timezone, horizon_ pagesize, and horizon_language are not marked as "secure". Is that right? If so, please update the title and remove the sample response (it doesn't show those cookies).