OpenStack Dashboard (Horizon)

Missing HttpOnly Attribute in Session Cookie

Bug #1369876 reported by Zhang Yun
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Won't Fix
Undecided
Unassigned

Bug Description

Affected URL: https://Ip_address/admin/
Entity: csrftoken (Cookie)
Risk: It is possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user.
Causes: The web application sets session cookies without the HttpOnly attribute
Recommend Fix: Add the 'HttpOnly' attribute to all session cookies.

The Test Requests and Responses:
GET /admin/ HTTP/1.1
Host: 9.5.29.52
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: https://9.5.29.52/
Cookie: csrftoken=JPjBiDp6Ex6YDw3sgfZPCTPUwWKZdZTm; sessionid=oad3bpy15qm8ntml9wx604yr79cc6zpb
Connection: keep-alive
HTTP/1.1 200 OK
Date: Fri, 12 Sep 2014 07:52:50 GMT
Server: Apache
Vary: Accept-Language,Cookie,Accept-Encoding
X-Frame-Options: SAMEORIGIN
Content-Language: en
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
2014/9/12 504
Transfer-Encoding: chunked
Content-Type: text/html
Set-Cookie: csrftoken=silTP6ARbLvXohF6YYFLlWHce0KZkjPy; expires=Fri, 11-Sep-2015 07:52:52 GMT; Max-Age=31449600; Path=/; secure
Set-Cookie: sessionid=ygq094phgr6og471j6n0asq7x6q37j6n; httponly; Path=/; secure
<!DOCTYPE html>
<html>
<head>
<meta content='text/html; charset=utf-8' http-equiv='Content-Type' />
<title>Usage Overview - Cloud Management Dashboard</title>
<!--
Copyright 2014 *** Corp.
-->
<link rel="stylesheet" href="/static/dashboard/css/5730bed76fd3.css" type="text/css" media="screen" />
<link rel="shortcut icon" href="/static/dashboard/img/favicon.png"/>
<!--
Fix header padding issue in IE < 10
-->
<!--[if lt IE 10 ]>
<style>
.topbar {
padding-bottom: 0px;
}
</style>
<![endif]-->
<script type="text/javascript" src="/static/dashboard/js/841198948869.js"></script>
<script type="text/javascript" charset="utf-8">
/*
Added so that we can append Horizon scoped JS events to
the DOM load events without running in to the "horizon"
name-space not currently being defined since we load the
scripts at the bottom of the page.
*/
var addHorizonLoadEvent = function(func) {
var old_onload = window.onload;
if (typeof window.onload != 'function') {
window.onload = func;
} else {
window.onload = function() {
old_onload();
func();
}
}
}
</script>
</head>
<body id="" ng-app='hz'>
<div id="container">
<div class='topbar'>
<!--
Copyright 2014 ***Corp.
-->
<h1 class="brand"><a href="/home/">Cloud Management Dashboard</a></h1>
<div id="user_info" class="pull-right">
<div id="tenant_switcher" class="dropdown switcher_bar hide_image " tabindex="1">
<div>admin</div>
</div>
<div id="profile_editor_switcher" class="dropdown switcher_bar" tabindex='1'>
<a class="dropdown-toggle" data-toggle="dropdown" href="#profile_editor_switcher">
<div>admin</div>
</a>
<ul id="editor_list" class="dropdown-menu">
<li class='divider'></li>
<li><a href="/settings/">Settings</a></li>
2014/9/12 505
TOC
<li><a href="http://docs.openstack.org" target="_new">Help</a></li>
<li><a href="/auth/logout/">Sign Out</a></li>
</ul>
</div>
<img class="brand_icon" src="/static/dashboard/img/logo.png" alt=""/>
</div>
</div>
<div id='main_content'>
<div class="messages">
</div>
<div class='sidebar'>
<div>
<dl class="nav_accordion">
<dt >
<div>Project</div>
</dt>
<dd style="display:none;">
<div><h4><div>Compute</div></h4>
<ul>
<li><a href="/project/" tabindex="1" >Overview</a></li>
<li><a href="/project/instances/" tabindex="2" >Instances</a></li>
<li><a href="/project/volumes/" tabindex="3" >Volumes</a></li>
<li><a href="/project/images/" tabindex="4" >Images</a></li>
<li><a href="/project/access_and_security/" tabindex="5" >Access &amp; Security</a></li>
</ul>
</div>
<div><h4><div>Network</div></h4>
<ul>
<li><a href="/project/network_topology/" tabindex="1" >Network Topology</a></li>
<li><a href="/project/networks/" tabindex="2" >Networks</a></li>
<li><a href="/project/routers/" tabindex="3" >Routers</a></li>
</ul>
</div>
<div><h4><div>Orchestration</div></h4>
<ul>
<li><a href="/project/stacks/" tabindex="1" >Stacks</a></li>
</ul>
</div>
...
...
...

See original description
Tags: security
Zhang Yun (zhangyun)
description: updated
Gary W. Smith (gary-w-smith)
tags: added: security
Changed in horizon:
status: New → Confirmed
Revision history for this message
Sam Betts (sambetts) wrote :

As far as I can tell in master right now SESSION_COOKIE_HTTPONLY = True which should add httponly to all session cookies.

Revision history for this message
Doug Fish (drfish) wrote :

Django 1.6 introduces a new setting to make the crsf cookie (which is separate from the session cookie) httpreadonly.
https://docs.djangoproject.com/en/1.6/ref/settings/#csrf-cookie-httponly

Our docs say to use it
https://github.com/openstack/horizon/blob/a0f7235278cfe187b2ff31bfb787548735111c8b/doc/source/topics/deployment.rst#secure-site-recommendations
so I assume it has been tested and works (offhand, I wasn't sure if our javascript was ever used to extract and send that value in a form), on the other hand our documentation suggests this has been available since 1.4, which is wrong. So that's not exactly confidence inspiring.

@Zhang Yun, can you verify that setting
CSRF_COOKIE_HTTPONLY = True in you local_settings file addresses your concern?

Revision history for this message
Doug Fish (drfish) wrote :

reading more carefully, I see our docs don't mention CSRF_COOKIE_HTTPONLY so they aren't wrong. (They reference CSRF_COOKIE_SECURE) But also this suggests that no investigation has been done on potential side-effects.

Revision history for this message
Christoph Dwertmann (cdwertmann) wrote :

CSRF_COOKIE_HTTPONLY = True

This setting fixes the issue for me on icehouse:

Set-Cookie: csrftoken=PYvm2g1ms6sp1solX5h7Wsul82VNSasU; expires=Mon, 22-Feb-2016 01:25:14 GMT; httponly; Max-Age=31449600; Path=/; secure

Revision history for this message
Matt Borland (palecrow) wrote :

FYI, I believe this has been addressed by the settings as outlined in local_settings.py.example, as also evidenced by the documentation Doug referenced:

# If Horizon is being served through SSL, then uncomment the following two
# settings to better secure the cookies from security exploits
#CSRF_COOKIE_SECURE = True
#SESSION_COOKIE_SECURE = True

Revision history for this message
Matt Borland (palecrow) wrote :

Yeah, reference: https://docs.djangoproject.com/en/1.8/ref/settings/#csrf-cookie-secure ; I'm pretty sure that is the preferred method of dealing with cookie disclosure.

Changed in horizon:
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.