yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1369870] Re: The "message" cookie is not marked as "secure"

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Rob Cresswell <rcresswe@xxxxxxxxx>
Date: Tue, 12 Jan 2016 13:15:42 -0000
Reply-to: Bug 1369870 <1369870@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

The default value for SESSION_COOKIE_SECURE is False, but the deployment
guide advises changing it to True.

** Changed in: horizon
       Status: Incomplete => Won't Fix

** Changed in: horizon
     Assignee: Kent Wang (k.wang) => (unassigned)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1369870

Title:
  The "message" cookie is not marked as "secure"

Status in OpenStack Dashboard (Horizon):
  Won't Fix

Bug description:
  The message cookie is not marked as 'secure', as identified by the
  following security report.  If might contain sensitive information,
  and would benefit from being marked as secure.

  ---

  Affected URL: https://Ip_address/settings/
  Affected Entity: messages, django_timezone, horizon_pagesize, and horizon_language
  Risk: It may be possible to steal user and session information (cookies) that was sent during an encrypted session

  Causes: The web application sends non-secure cookies over SSL

  Recommend Fix: Add the 'Secure' attribute to all sensitive cookies

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1369870/+subscriptions

References

[Bug 1369870] [NEW] Missing Secure Attribute in Encrypted Session (SSL) Cookie
From: Zhang Yun, 2014-09-16