OpenStack Dashboard (Horizon)

The "message" cookie is not marked as "secure"

Bug #1369870 reported by Zhang Yun on 2014-09-16

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Dashboard (Horizon)	Won't Fix	Medium	Unassigned

Bug Description

The message cookie is not marked as 'secure', as identified by the following security report. If might contain sensitive information, and would benefit from being marked as secure.

---

Affected URL: https://Ip_address/settings/
Affected Entity: messages, django_timezone, horizon_pagesize, and horizon_language
Risk: It may be possible to steal user and session information (cookies) that was sent during an encrypted session

Causes: The web application sends non-secure cookies over SSL

Recommend Fix: Add the 'Secure' attribute to all sensitive cookies

See original description

Tags:

Zhang Yun (zhangyun) on 2014-09-17

description:

updated

Revision history for this message

Doug Fish (drfish) wrote on 2014-09-17:

Zhang Yun, based on our other conversation I think you might have misstated the issue for this bug.

I think the concern is that the cookies for messages, django_timezone,horizon_pagesize, and horizon_language are not marked as "secure". Is that right? If so, please update the title and remove the sample response (it doesn't show those cookies).

Changed in horizon:
status:	New → Incomplete

Revision history for this message

Zhang Yun (zhangyun) wrote on 2014-09-18: Re: The cookies for messages, django_timezone,horizon_pagesize, and horizon_language are not marked as "secure"

Thanks Doug, I updated the title and removed sample response.

summary:

- Missing Secure Attribute in Encrypted Session (SSL) Cookie
+ The cookies for messages, django_timezone,horizon_pagesize, and
+ horizon_language are not marked as "secure"

Zhang Yun (zhangyun) on 2014-09-18

description:

updated

Gary W. Smith (gary-w-smith) on 2014-09-23

tags:

added: security

Revision history for this message

Zhang Yun (zhangyun) wrote on 2014-09-24:

Hi Doug, I modified the title and removed the sample response according to your comments. Would you please take some time to re-investigate it? Thanks.

Changed in horizon:
status:	Incomplete → New

Revision history for this message

Gary W. Smith (gary-w-smith) wrote on 2014-09-26:

These fields don't contain sensitive information, so why do they need to be marked secure? Can you help explain what is the security risk is here?

Revision history for this message

Zhang Yun (zhangyun) wrote on 2014-09-29:

Ok, if no sensitive information here, please close this bug, thanks.

Revision history for this message

Julie Pichon (jpichon) wrote on 2014-09-29:

It may be worth considering for the "messages" cookie?

Revision history for this message

Gary W. Smith (gary-w-smith) wrote on 2014-09-29:

Good catch, Julie. There are probably some messages that could have sensitive info in them. It appears that as of Django 1.7, this can be made sure via the SESSION_COOKIE_SECURE setting ( https://docs.djangoproject.com/en/dev/ref/settings/#session-cookie-secure)

Gary W. Smith (gary-w-smith) on 2014-11-13

Changed in horizon:
status:	New → Confirmed
importance:	Undecided → Medium
summary:	- The cookies for messages, django_timezone,horizon_pagesize, and - horizon_language are not marked as "secure" + The "message" cookie is not marked as "secure"
description:	updated

Swati Sharma (swati-shukla1) on 2014-11-17

Changed in horizon:
assignee:	nobody → Swati Shukla (swati-shukla1)

Swati Sharma (swati-shukla1) on 2015-01-13

Changed in horizon:
assignee:	Swati Shukla (swati-shukla1) → nobody

Kent Wang (k.wang) on 2015-04-21

Changed in horizon:
assignee:	nobody → Kent Wang (k.wang)

Revision history for this message

Kent Wang (k.wang) wrote on 2015-11-18:

Hi I'm unable to find the 'messages' cookie or form field in settings. Is it still there now?

Revision history for this message

Kent Wang (k.wang) wrote on 2015-11-25:

Marking as incomplete. May already be fixed

Changed in horizon:
status:	Confirmed → Incomplete

Revision history for this message

Rob Cresswell (robcresswell-deactivatedaccount) wrote on 2016-01-12:

#10

The default value for SESSION_COOKIE_SECURE is False, but the deployment guide advises changing it to True.

Changed in horizon:
status:	Incomplete → Won't Fix
assignee:	Kent Wang (k.wang) → nobody

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.