James Chen created KNOX-2234:
--------------------------------
Summary: Omitting cookie from outbound request header
Key: KNOX-2234
URL: https://issues.apache.org/jira/browse/KNOX-2234
Project: Apache Knox
Issue Type: Improvement
Affects Versions: 1.3.0, 1.2.0
Reporter: James Chen
Attachments: KNOX-2234.patch
It is possible for an attacker to directly steal user session information by
having a user visit or load a URL using Knox, as cookies are forwarded in the
header on the outbound request. This behavior doesn't seem to serve any
particular function either, as the endpoint Knox tries to contact shouldn't
need any authentication by Knox. We suggest that user-Knox cookies should be
omitted from the outbound request.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
