[ https://issues.apache.org/jira/browse/KNOX-2234?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
James Chen updated KNOX-2234: ----------------------------- Attachment: KNOX-2234.patch Status: Patch Available (was: Open) > Omitting cookie from outbound request header > -------------------------------------------- > > Key: KNOX-2234 > URL: https://issues.apache.org/jira/browse/KNOX-2234 > Project: Apache Knox > Issue Type: Improvement > Affects Versions: 1.3.0, 1.2.0 > Reporter: James Chen > Priority: Minor > Labels: easy-fix > Attachments: KNOX-2234.patch > > Original Estimate: 168h > Remaining Estimate: 168h > > It is possible for an attacker to directly steal user session information by > having a user visit or load a URL using Knox, as cookies are forwarded in the > header on the outbound request. This behavior doesn't seem to serve any > particular function either, as the endpoint Knox tries to contact shouldn't > need any authentication by Knox. We suggest that user-Knox cookies should be > omitted from the outbound request. -- This message was sent by Atlassian Jira (v8.3.4#803005)