[
https://issues.apache.org/jira/browse/KNOX-2234?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
James Chen updated KNOX-2234:
-----------------------------
Attachment: KNOX-2234.patch
Status: Patch Available (was: Open)
> Omitting cookie from outbound request header
> --------------------------------------------
>
> Key: KNOX-2234
> URL: https://issues.apache.org/jira/browse/KNOX-2234
> Project: Apache Knox
> Issue Type: Improvement
> Affects Versions: 1.3.0, 1.2.0
> Reporter: James Chen
> Priority: Minor
> Labels: easy-fix
> Attachments: KNOX-2234.patch
>
> Original Estimate: 168h
> Remaining Estimate: 168h
>
> It is possible for an attacker to directly steal user session information by
> having a user visit or load a URL using Knox, as cookies are forwarded in the
> header on the outbound request. This behavior doesn't seem to serve any
> particular function either, as the endpoint Knox tries to contact shouldn't
> need any authentication by Knox. We suggest that user-Knox cookies should be
> omitted from the outbound request.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
