[
https://issues.apache.org/jira/browse/KNOX-2234?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kevin Risden updated KNOX-2234:
-------------------------------
Resolution: Not A Bug
Status: Resolved (was: Patch Available)
Marking as "Not a Bug" since this is working as designed. It requires a lot
more thought into where cookies should be removed if they are going to be
completely removed from dispatch in Knox.
> Omitting cookie from outbound request header
> --------------------------------------------
>
> Key: KNOX-2234
> URL: https://issues.apache.org/jira/browse/KNOX-2234
> Project: Apache Knox
> Issue Type: Improvement
> Affects Versions: 1.2.0, 1.3.0
> Reporter: James Chen
> Priority: Minor
> Labels: easy-fix
> Attachments: KNOX-2234.patch
>
> Original Estimate: 168h
> Remaining Estimate: 168h
>
> It is possible for an attacker to directly steal user session information by
> having a user visit or load a URL using Knox, as cookies are forwarded in the
> header on the outbound request. This behavior doesn't seem to serve any
> particular function either, as the endpoint Knox tries to contact shouldn't
> need any authentication by Knox. We suggest that user-Knox cookies should be
> omitted from the outbound request.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
