[Openstack-security] [Bug 1369870] Re: The cookies for messages, django_timezone, horizon_pagesize, and horizon_language are not marked as "secure"
Gary W. Smith
gary.w.smith at hp.com
Mon Sep 29 20:17:43 UTC 2014
Good catch, Julie. There are probably some messages that could have
sensitive info in them. It appears that as of Django 1.7, this can be
made sure via the SESSION_COOKIE_SECURE setting (
https://docs.djangoproject.com/en/dev/ref/settings/#session-cookie-
secure)
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1369870
Title:
The cookies for messages, django_timezone,horizon_pagesize, and
horizon_language are not marked as "secure"
Status in OpenStack Dashboard (Horizon):
New
Bug description:
Affected URL: https://Ip_address/settings/
Affected Entity: messages, django_timezone, horizon_pagesize, and horizon_language
Risk: It may be possible to steal user and session information (cookies) that was sent during an encrypted session
Causes: The web application sends non-secure cookies over SSL
Recommend Fix: Add the 'Secure' attribute to all sensitive cookies
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1369870/+subscriptions
More information about the Openstack-security
mailing list