yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1191051] Re: Horizon does not set Secure Attribute in cookies

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Mon, 15 Jul 2013 14:09:48 -0000
Reply-to: Bug 1191051 <1191051@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Would make a great "recommended Django deploy options for Horizon" OSSN
together with bug 1191050

** Information type changed from Private Security to Public

** Also affects: ossn
   Importance: Undecided
       Status: New

** No longer affects: ossa

** Changed in: horizon
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1191051

Title:
  Horizon does not set Secure Attribute in cookies

Status in OpenStack Dashboard (Horizon):
  Invalid
Status in OpenStack Security Notes:
  New

Bug description:
  Version:         2012.2

  The cookies used by Horizon do not have the Secure Attribute set, which allows them to be sent over unencrypted requests. This could result in stolen sessions, as it is trivial to force the browser to make unencrypted requests. For more information see 
  https://www.owasp.org/index.php/Testing_for_cookies_attributes_%28OWASP-SM-002%29

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1191051/+subscriptions