yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1191051] Re: Horizon does not set Secure Attribute in cookies

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Robert Clark <1191051@xxxxxxxxxxxxxxxxxx>
Date: Thu, 19 Sep 2013 17:40:56 -0000
Reply-to: Bug 1191051 <1191051@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Posted to OpenStack ML 19-9-13

** Changed in: ossn
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1191051

Title:
  Horizon does not set Secure Attribute in cookies

Status in OpenStack Dashboard (Horizon):
  Invalid
Status in OpenStack Security Notes:
  Fix Released

Bug description:
  Version:         2012.2

  The cookies used by Horizon do not have the Secure Attribute set, which allows them to be sent over unencrypted requests. This could result in stolen sessions, as it is trivial to force the browser to make unencrypted requests. For more information see 
  https://www.owasp.org/index.php/Testing_for_cookies_attributes_%28OWASP-SM-002%29

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1191051/+subscriptions