[
https://issues.apache.org/jira/browse/CLOUDSTACK-8505?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15548518#comment-15548518
]
Rohit Yadav edited comment on CLOUDSTACK-8505 at 10/5/16 12:08 PM:
-------------------------------------------------------------------
[~jburwell] [~pdion] this was a reported security issue on security@ (search
for a thread -- regarding security issue noticed by QA recenlty in
Cloudstack(4.6)). The parameters are not sent as parameters on the URL but as
args in the HTTP post request. This was done as a general security measure.
Earlier, the UI used apikey/secretkey from the url itself to make api requests,
this caused UI in another tab in the same browser to logout. We also introduced
several security enhancement such as use of httponly and secure cookie etc. The
current login is based on secure cookies, so when used over SSL -- the login
information is not part of the login url/request, similarly api/secret or
session keys are returned by a success login as part of the cookies set by the
server. This allows for users to open the UI in multiple tabs without getting
logged out.
If we any use-case where GET ought to be supported, we can either relax the
check and allow both GET and POST requests. Alternatively, add a global setting
for this (though I would avoid yet another setting).
was (Author: bhaisaab):
[~jburwell] [~pdion] this was a reported security issue on security@ (search
for a thread -- regarding security issue noticed by QA recenlty in
Cloudstack(4.6)). The parameters are not sent as parameters on the URL but as
args in the HTTP post request. This was done as a general security measure.
Earlier, the UI used apikey/secretkey from the url itself to make api requests,
this caused UI in another tab in the same browser to logout. We also introduced
several security enhancement such as use of httponly and secure cookie etc. The
current login is based on secure cookies, so when used over SSL -- the login
information is not part of the login url/request, similarly api/secret or
session keys are returned by a success login as part of the cookies set by the
server. This allows for users to open the UI in multiple tabs without getting
logged out.
> Don't allow non-POST http requests on default login request
> -----------------------------------------------------------
>
> Key: CLOUDSTACK-8505
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8505
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Reporter: Rohit Yadav
> Assignee: Rohit Yadav
> Fix For: 4.5.2, 4.6.0
>
>
> Disallow requests that are not POST requests.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
