OpenStack Dashboard (Horizon)

Bug #1191051
Comment #13

Comment 13 for bug 1191051

Revision history for this message

Robert Clark (robert-clark) wrote on 2013-09-19:

#13

Horizon does not set Secure Attribute in cookies
-----
### Summary ###
Horizon does not, by default, set the Secure Attribute in cookies

### Affected Services / Software ###
Horizon, Django

### Discussion ###
When used in production, Horizon should have the Secure Attribute for cookies set. When this flag is set, browsers will only transfer the cookie over secure channels. Without it set, browsers may transfer the cookie over plain-text channels, potentially exposing the contents to an attacker who can then use the cookie to authenticate with the Horizon server as the original user.

### Recommended Actions ###
Enable secure cookie by setting the SESSION_COOKIE_SECURE config flag to true:
https://docs.djangoproject.com/en/dev/ref/settings/#std:setting-SESSION_COOKIE_SECURE

### Contacts / References ###
This OSSN : https://bugs.launchpad.net/ossn/+bug/1191051
Related Horizon/Django OSSN : https://bugs.launchpad.net/ossn/+bug/1191050
OpenStack Security ML : openstack-security at lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg