[Openstack-security] [Bug 1369876] Re: Missing HttpOnly Attribute in Session Cookie

Sam Betts sam at code-smash.net
Wed Oct 1 11:55:29 UTC 2014


As far as I can tell in master right now SESSION_COOKIE_HTTPONLY = True
which should add httponly to all session cookies.

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1369876

Title:
  Missing HttpOnly Attribute in Session Cookie

Status in OpenStack Dashboard (Horizon):
  Confirmed

Bug description:
  Affected URL: https://Ip_address/admin/
  Entity: csrftoken (Cookie)
  Risk: It is possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user.
  Causes: The web application sets session cookies without the HttpOnly attribute
  Recommend Fix: Add the 'HttpOnly' attribute to all session cookies.

  The Test Requests and Responses:
  GET /admin/ HTTP/1.1
  Host: 9.5.29.52
  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Referer: https://9.5.29.52/
  Cookie: csrftoken=JPjBiDp6Ex6YDw3sgfZPCTPUwWKZdZTm; sessionid=oad3bpy15qm8ntml9wx604yr79cc6zpb
  Connection: keep-alive
  HTTP/1.1 200 OK
  Date: Fri, 12 Sep 2014 07:52:50 GMT
  Server: Apache
  Vary: Accept-Language,Cookie,Accept-Encoding
  X-Frame-Options: SAMEORIGIN
  Content-Language: en
  Keep-Alive: timeout=5, max=100
  Connection: Keep-Alive
  2014/9/12 504
  Transfer-Encoding: chunked
  Content-Type: text/html
  Set-Cookie: csrftoken=silTP6ARbLvXohF6YYFLlWHce0KZkjPy; expires=Fri, 11-Sep-2015 07:52:52 GMT; Max-Age=31449600; Path=/; secure
  Set-Cookie: sessionid=ygq094phgr6og471j6n0asq7x6q37j6n; httponly; Path=/; secure
  <!DOCTYPE html>
  <html>
  <head>
  <meta content='text/html; charset=utf-8' http-equiv='Content-Type' />
  <title>Usage Overview - Cloud Management Dashboard</title>
  <!--
  Copyright 2014 *** Corp.
  -->
  <link rel="stylesheet" href="/static/dashboard/css/5730bed76fd3.css" type="text/css" media="screen" />
  <link rel="shortcut icon" href="/static/dashboard/img/favicon.png"/>
  <!--
  Fix header padding issue in IE < 10
  -->
  <!--[if lt IE 10 ]>
  <style>
  .topbar {
  padding-bottom: 0px;
  }
  </style>
  <![endif]-->
  <script type="text/javascript" src="/static/dashboard/js/841198948869.js"></script>
  <script type="text/javascript" charset="utf-8">
  /*
  Added so that we can append Horizon scoped JS events to
  the DOM load events without running in to the "horizon"
  name-space not currently being defined since we load the
  scripts at the bottom of the page.
  */
  var addHorizonLoadEvent = function(func) {
  var old_onload = window.onload;
  if (typeof window.onload != 'function') {
  window.onload = func;
  } else {
  window.onload = function() {
  old_onload();
  func();
  }
  }
  }
  </script>
  </head>
  <body id="" ng-app='hz'>
  <div id="container">
  <div class='topbar'>
  <!--
  Copyright 2014 ***Corp.
  -->
  <h1 class="brand"><a href="/home/">Cloud Management Dashboard</a></h1>
  <div id="user_info" class="pull-right">
  <div id="tenant_switcher" class="dropdown switcher_bar hide_image " tabindex="1">
  <div>admin</div>
  </div>
  <div id="profile_editor_switcher" class="dropdown switcher_bar" tabindex='1'>
  <a class="dropdown-toggle" data-toggle="dropdown" href="#profile_editor_switcher">
  <div>admin</div>
  </a>
  <ul id="editor_list" class="dropdown-menu">
  <li class='divider'></li>
  <li><a href="/settings/">Settings</a></li>
  2014/9/12 505
  TOC
  <li><a href="http://docs.openstack.org" target="_new">Help</a></li>
  <li><a href="/auth/logout/">Sign Out</a></li>
  </ul>
  </div>
  <img class="brand_icon" src="/static/dashboard/img/logo.png" alt=""/>
  </div>
  </div>
  <div id='main_content'>
  <div class="messages">
  </div>
  <div class='sidebar'>
  <div>
  <dl class="nav_accordion">
  <dt >
  <div>Project</div>
  </dt>
  <dd style="display:none;">
  <div><h4><div>Compute</div></h4>
  <ul>
  <li><a href="/project/" tabindex="1" >Overview</a></li>
  <li><a href="/project/instances/" tabindex="2" >Instances</a></li>
  <li><a href="/project/volumes/" tabindex="3" >Volumes</a></li>
  <li><a href="/project/images/" tabindex="4" >Images</a></li>
  <li><a href="/project/access_and_security/" tabindex="5" >Access & Security</a></li>
  </ul>
  </div>
  <div><h4><div>Network</div></h4>
  <ul>
  <li><a href="/project/network_topology/" tabindex="1" >Network Topology</a></li>
  <li><a href="/project/networks/" tabindex="2" >Networks</a></li>
  <li><a href="/project/routers/" tabindex="3" >Routers</a></li>
  </ul>
  </div>
  <div><h4><div>Orchestration</div></h4>
  <ul>
  <li><a href="/project/stacks/" tabindex="1" >Stacks</a></li>
  </ul>
  </div>
  ...
  ...
  ...

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1369876/+subscriptions




More information about the Openstack-security mailing list