Uploaded image for project: 'Apache Knox'
  1. Apache Knox
  2. KNOX-2234

Omitting cookie from outbound request header

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Minor
    • Resolution: Not A Bug
    • Affects Version/s: 1.2.0, 1.3.0
    • Fix Version/s: None
    • Component/s: None
    • Labels:

      Description

      It is possible for an attacker to directly steal user session information by having a user visit or load a URL using Knox, as cookies are forwarded in the header on the outbound request. This behavior doesn't seem to serve any particular function either, as the endpoint Knox tries to contact shouldn't need any authentication by Knox. We suggest that user-Knox cookies should be omitted from the outbound request.

        Attachments

        1. KNOX-2234.patch
          0.8 kB
          James Chen

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              jameschen1519 James Chen
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 168h
                168h
                Remaining:
                Remaining Estimate - 168h
                168h
                Logged:
                Time Spent - Not Specified
                Not Specified