[Openstack-security] [Bug 1369876] Re: Missing HttpOnly Attribute in Session Cookie
Doug Fish
drfish at us.ibm.com
Mon Oct 6 13:28:03 UTC 2014
Django 1.6 introduces a new setting to make the crsf cookie (which is separate from the session cookie) httpreadonly.
https://docs.djangoproject.com/en/1.6/ref/settings/#csrf-cookie-httponly
Our docs say to use it
https://github.com/openstack/horizon/blob/a0f7235278cfe187b2ff31bfb787548735111c8b/doc/source/topics/deployment.rst#secure-site-recommendations
so I assume it has been tested and works (offhand, I wasn't sure if our javascript was ever used to extract and send that value in a form), on the other hand our documentation suggests this has been available since 1.4, which is wrong. So that's not exactly confidence inspiring.
@Zhang Yun, can you verify that setting
CSRF_COOKIE_HTTPONLY = True in you local_settings file addresses your concern?
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1369876
Title:
Missing HttpOnly Attribute in Session Cookie
Status in OpenStack Dashboard (Horizon):
Confirmed
Bug description:
Affected URL: https://Ip_address/admin/
Entity: csrftoken (Cookie)
Risk: It is possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user.
Causes: The web application sets session cookies without the HttpOnly attribute
Recommend Fix: Add the 'HttpOnly' attribute to all session cookies.
The Test Requests and Responses:
GET /admin/ HTTP/1.1
Host: 9.5.29.52
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: https://9.5.29.52/
Cookie: csrftoken=JPjBiDp6Ex6YDw3sgfZPCTPUwWKZdZTm; sessionid=oad3bpy15qm8ntml9wx604yr79cc6zpb
Connection: keep-alive
HTTP/1.1 200 OK
Date: Fri, 12 Sep 2014 07:52:50 GMT
Server: Apache
Vary: Accept-Language,Cookie,Accept-Encoding
X-Frame-Options: SAMEORIGIN
Content-Language: en
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
2014/9/12 504
Transfer-Encoding: chunked
Content-Type: text/html
Set-Cookie: csrftoken=silTP6ARbLvXohF6YYFLlWHce0KZkjPy; expires=Fri, 11-Sep-2015 07:52:52 GMT; Max-Age=31449600; Path=/; secure
Set-Cookie: sessionid=ygq094phgr6og471j6n0asq7x6q37j6n; httponly; Path=/; secure
<!DOCTYPE html>
<html>
<head>
<meta content='text/html; charset=utf-8' http-equiv='Content-Type' />
<title>Usage Overview - Cloud Management Dashboard</title>
<!--
Copyright 2014 *** Corp.
-->
<link rel="stylesheet" href="/static/dashboard/css/5730bed76fd3.css" type="text/css" media="screen" />
<link rel="shortcut icon" href="/static/dashboard/img/favicon.png"/>
<!--
Fix header padding issue in IE < 10
-->
<!--[if lt IE 10 ]>
<style>
.topbar {
padding-bottom: 0px;
}
</style>
<![endif]-->
<script type="text/javascript" src="/static/dashboard/js/841198948869.js"></script>
<script type="text/javascript" charset="utf-8">
/*
Added so that we can append Horizon scoped JS events to
the DOM load events without running in to the "horizon"
name-space not currently being defined since we load the
scripts at the bottom of the page.
*/
var addHorizonLoadEvent = function(func) {
var old_onload = window.onload;
if (typeof window.onload != 'function') {
window.onload = func;
} else {
window.onload = function() {
old_onload();
func();
}
}
}
</script>
</head>
<body id="" ng-app='hz'>
<div id="container">
<div class='topbar'>
<!--
Copyright 2014 ***Corp.
-->
<h1 class="brand"><a href="/home/">Cloud Management Dashboard</a></h1>
<div id="user_info" class="pull-right">
<div id="tenant_switcher" class="dropdown switcher_bar hide_image " tabindex="1">
<div>admin</div>
</div>
<div id="profile_editor_switcher" class="dropdown switcher_bar" tabindex='1'>
<a class="dropdown-toggle" data-toggle="dropdown" href="#profile_editor_switcher">
<div>admin</div>
</a>
<ul id="editor_list" class="dropdown-menu">
<li class='divider'></li>
<li><a href="/settings/">Settings</a></li>
2014/9/12 505
TOC
<li><a href="http://docs.openstack.org" target="_new">Help</a></li>
<li><a href="/auth/logout/">Sign Out</a></li>
</ul>
</div>
<img class="brand_icon" src="/static/dashboard/img/logo.png" alt=""/>
</div>
</div>
<div id='main_content'>
<div class="messages">
</div>
<div class='sidebar'>
<div>
<dl class="nav_accordion">
<dt >
<div>Project</div>
</dt>
<dd style="display:none;">
<div><h4><div>Compute</div></h4>
<ul>
<li><a href="/project/" tabindex="1" >Overview</a></li>
<li><a href="/project/instances/" tabindex="2" >Instances</a></li>
<li><a href="/project/volumes/" tabindex="3" >Volumes</a></li>
<li><a href="/project/images/" tabindex="4" >Images</a></li>
<li><a href="/project/access_and_security/" tabindex="5" >Access & Security</a></li>
</ul>
</div>
<div><h4><div>Network</div></h4>
<ul>
<li><a href="/project/network_topology/" tabindex="1" >Network Topology</a></li>
<li><a href="/project/networks/" tabindex="2" >Networks</a></li>
<li><a href="/project/routers/" tabindex="3" >Routers</a></li>
</ul>
</div>
<div><h4><div>Orchestration</div></h4>
<ul>
<li><a href="/project/stacks/" tabindex="1" >Stacks</a></li>
</ul>
</div>
...
...
...
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1369876/+subscriptions
More information about the Openstack-security
mailing list