[KNOX-2234] Omitting cookie from outbound request header - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Minor
Resolution: Not A Bug
Affects Version/s: 1.2.0, 1.3.0
Fix Version/s: None
Component/s: None
Labels:
- easy-fix

Description

It is possible for an attacker to directly steal user session information by having a user visit or load a URL using Knox, as cookies are forwarded in the header on the outbound request. This behavior doesn't seem to serve any particular function either, as the endpoint Knox tries to contact shouldn't need any authentication by Knox. We suggest that user-Knox cookies should be omitted from the outbound request.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

KNOX-2234.patch
13/Feb/20 21:06
0.8 kB
James Chen

Activity

People

Assignee:: Unassigned

Reporter:: James Chen

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 13/Feb/20 19:57

Updated:: 25/Feb/20 15:00

Resolved:: 25/Feb/20 15:00

Time Tracking

Estimated:

168h

Remaining:

168h

Logged:

Not Specified