Horizon does not set Secure Attribute in cookies
Bug #1191051 reported by
Joaquin Berrios
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
Invalid
|
Undecided
|
Unassigned | ||
OpenStack Security Notes |
Fix Released
|
Undecided
|
Robert Clark |
Bug Description
Version: 2012.2
The cookies used by Horizon do not have the Secure Attribute set, which allows them to be sent over unencrypted requests. This could result in stolen sessions, as it is trivial to force the browser to make unencrypted requests. For more information see
https:/
Changed in ossn: | |
assignee: | nobody → Robert Clark (robert-clark) |
To post a comment you must log in.
This one's a bit of a gray area... I guess the question is whether there's any reason this shouldn't be set, or should be configurable (do we support test deployments using cleartext HTTP?).