James Chen updated KNOX-2234:
    Attachment:     (was: KNOX-2234.patch)

> Omitting cookie from outbound request header
> --------------------------------------------
>                 Key: KNOX-2234
>                 URL: https://issues.apache.org/jira/browse/KNOX-2234
>             Project: Apache Knox
>          Issue Type: Improvement
>    Affects Versions: 1.2.0, 1.3.0
>            Reporter: James Chen
>            Priority: Minor
>              Labels: easy-fix
>         Attachments: KNOX-2234.patch
>   Original Estimate: 168h
>  Remaining Estimate: 168h
> It is possible for an attacker to directly steal user session information by 
> having a user visit or load a URL using Knox, as cookies are forwarded in the 
> header on the outbound request. This behavior doesn't seem to serve any 
> particular function either, as the endpoint Knox tries to contact shouldn't 
> need any authentication by Knox. We suggest that user-Knox cookies should be 
> omitted from the outbound request.

This message was sent by Atlassian Jira

Reply via email to