[Openstack] Fwd: [Full-disclosure] [Django] Cookie-based session storage session invalidation issue

Gabriel Hurley Gabriel.Hurley at nebula.com
Mon Oct 7 23:34:42 UTC 2013


Yes and No. They will appear to be logged in to Horizon, but the Keystone token will be invalid and thus they will be unable to obtain any data or perform any actions via the APIs. Since all of Horizon's data comes from APIs, this is a very limited problem space.

There are reasonably well-documented ways to mitigate this issue (HTTPS, HSTS, secure cookies, etc.) but cookie stealing is a problem that most web applications are subject to to some degree. I think we mitigate in a reasonable fashion.

Further suggestions are more than welcome!

    - Gabriel

> -----Original Message-----
> From: Jeffrey Walton [mailto:noloader at gmail.com]
> Sent: Wednesday, October 02, 2013 1:53 AM
> To: openstack at lists.openstack.org
> Subject: [Openstack] Fwd: [Full-disclosure] [Django] Cookie-based session
> storage session invalidation issue
> 
> Not sure if this made anyone's radar....
> 
> ---------- Forwarded message ----------
> From: G. S. McNamara <main at gsmcnamara.com>
> Date: Tue, Oct 1, 2013 at 4:20 PM
> Subject: [Full-disclosure] [Django] Cookie-based session storage session
> invalidation issue
> To: full-disclosure at lists.grok.org.uk
> 
> FD,
> 
> I’m back!
> 
> Django versions 1.4 – 1.7 offer a cookie-based session storage option (not
> the default this time) that is afflicted by the same issue I posted about
> previously concerning Ruby on Rails:
> 
> If you obtain a user’s cookie, even if they log out, you can still log in as them.
> 
> The short write-up is here, if needed:
> http://maverickblogging.com/security-vulnerability-with-django-cookie-
> based-sessions/
> 
> Cheers,
> 
> G. S. McNamara
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack


More information about the Openstack mailing list