When enforcing HTTPS, enforce cookies to be HTTPS-Only too
Bug #1822751 reported by
Tilman Baumann
This bug affects 3 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard Charm |
Expired
|
High
|
Unassigned |
Bug Description
A customer approached us about this "Severe Security Vulnerability".
Missing Secure Flag From SSL Cookie (http-cookie-
Description:
The Secure attribute tells the browser to only send the cookie if the request is being sent over a secure channel such as HTTPS. This will help protect the cookie from being passed over unencrypted requests. If the application can be accessed over both HTTP and HTTPS, then there is the potential that the cookie can be sent in clear text.
It seems reasonably simple and useful to set that Cookie in the Apache SSL frontend when https is enforced.
tags: | added: potential-backport |
Changed in charm-openstack-dashboard: | |
status: | New → Triaged |
importance: | Undecided → High |
Changed in charm-openstack-dashboard: | |
status: | Triaged → In Progress |
Changed in charm-openstack-dashboard: | |
milestone: | none → 19.10 |
Changed in charm-openstack-dashboard: | |
status: | Fix Committed → Fix Released |
Changed in charm-openstack-dashboard: | |
assignee: | Sahid Orentino (sahid-ferdjaoui) → nobody |
Changed in charm-openstack-dashboard: | |
status: | New → Triaged |
Changed in charm-openstack-dashboard: | |
milestone: | 20.01 → 20.05 |
Changed in charm-openstack-dashboard: | |
milestone: | 20.05 → 20.08 |
Changed in charm-openstack-dashboard: | |
assignee: | nobody → Alex Kavanagh (ajkavanagh) |
To post a comment you must log in.
Agree it seems to be a reasonable ask.