From 1369865 at bugs.launchpad.net Tue Dec 1 01:20:18 2015 From: 1369865 at bugs.launchpad.net (OpenStack Infra) Date: Tue, 01 Dec 2015 01:20:18 -0000 Subject: [Openstack-security] [Bug 1369865] Re: Permanent Cookie Contains Sensitive Session Information References: <20140916062427.24753.72518.malonedeb@soybean.canonical.com> Message-ID: <20151201012018.3458.31615.malone@gac.canonical.com> Reviewed: https://review.openstack.org/246611 Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=21a8de1d938479876f5a0277b45b58adc8fc2c86 Submitter: Jenkins Branch: master commit 21a8de1d938479876f5a0277b45b58adc8fc2c86 Author: Kent Wang Date: Tue Nov 17 21:26:18 2015 +0000 Change Permanent Cookie Contain Sensitive Info Right now, the 'csrftoken' cookie is stored on disk as a permanent cookie. There is a risk for sensitive session information (cookies) that are persisted on disk as permanent cookies. This fixes this issue by storing the cookies in-memory instead of in persistent storage. Change-Id: Ia45b09571d495d4f98b60545903af72eb0f061c2 Closes-Bug: #1369865 ** Changed in: horizon Status: In Progress => Fix Committed -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1369865 Title: Permanent Cookie Contains Sensitive Session Information Status in OpenStack Dashboard (Horizon): Fix Committed Bug description: Affected URL: https://Ip_address/admin/ Entity: csrftoken (Cookie) Risk: It may be possible to steal session information (cookies) that was kept on disk as permanent cookies. Causes: The web application stores sensitive session information in a permanent cookie (on disk) Recommend Fix: Avoid storing sensitive session information in permanent cookies Test requests and response: GET /admin/ HTTP/1.1 Host: 9.5.29.52 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: https://9.5.29.52/ Cookie: csrftoken=JPjBiDp6Ex6YDw3sgfZPCTPUwWKZdZTm; sessionid=oad3bpy15qm8ntml9wx604yr79cc6zpb Connection: keep-alive HTTP/1.1 200 OK Date: Fri, 12 Sep 2014 07:52:50 GMT Server: Apache Vary: Accept-Language,Cookie,Accept-Encoding X-Frame-Options: SAMEORIGIN Content-Language: en Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html Set-Cookie: csrftoken=silTP6ARbLvXohF6YYFLlWHce0KZkjPy; expires=Fri, 11-Sep-2015 07:52:52 GMT; Max-Age=31449600; Path=/; secure Set-Cookie: sessionid=ygq094phgr6og471j6n0asq7x6q37j6n; httponly; Path=/; secure 2014/9/12 516 Usage Overview - Cloud Management Dashboard