[jira] [Updated] (KNOX-2234) Omitting cookie from outbound request header
[ https://issues.apache.org/jira/browse/KNOX-2234?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kevin Risden updated KNOX-2234: --- Resolution: Not A Bug Status: Resolved (was: Patch Available) Marking as "Not a Bug" since this is working as designed. It requires a lot more thought into where cookies should be removed if they are going to be completely removed from dispatch in Knox. > Omitting cookie from outbound request header > > > Key: KNOX-2234 > URL: https://issues.apache.org/jira/browse/KNOX-2234 > Project: Apache Knox > Issue Type: Improvement >Affects Versions: 1.2.0, 1.3.0 >Reporter: James Chen >Priority: Minor > Labels: easy-fix > Attachments: KNOX-2234.patch > > Original Estimate: 168h > Remaining Estimate: 168h > > It is possible for an attacker to directly steal user session information by > having a user visit or load a URL using Knox, as cookies are forwarded in the > header on the outbound request. This behavior doesn't seem to serve any > particular function either, as the endpoint Knox tries to contact shouldn't > need any authentication by Knox. We suggest that user-Knox cookies should be > omitted from the outbound request. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (KNOX-2234) Omitting cookie from outbound request header
[ https://issues.apache.org/jira/browse/KNOX-2234?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] James Chen updated KNOX-2234: - Attachment: KNOX-2234.patch Status: Patch Available (was: Open) > Omitting cookie from outbound request header > > > Key: KNOX-2234 > URL: https://issues.apache.org/jira/browse/KNOX-2234 > Project: Apache Knox > Issue Type: Improvement >Affects Versions: 1.3.0, 1.2.0 >Reporter: James Chen >Priority: Minor > Labels: easy-fix > Attachments: KNOX-2234.patch > > Original Estimate: 168h > Remaining Estimate: 168h > > It is possible for an attacker to directly steal user session information by > having a user visit or load a URL using Knox, as cookies are forwarded in the > header on the outbound request. This behavior doesn't seem to serve any > particular function either, as the endpoint Knox tries to contact shouldn't > need any authentication by Knox. We suggest that user-Knox cookies should be > omitted from the outbound request. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (KNOX-2234) Omitting cookie from outbound request header
[ https://issues.apache.org/jira/browse/KNOX-2234?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] James Chen updated KNOX-2234: - Attachment: (was: KNOX-2234.patch) > Omitting cookie from outbound request header > > > Key: KNOX-2234 > URL: https://issues.apache.org/jira/browse/KNOX-2234 > Project: Apache Knox > Issue Type: Improvement >Affects Versions: 1.2.0, 1.3.0 >Reporter: James Chen >Priority: Minor > Labels: easy-fix > Attachments: KNOX-2234.patch > > Original Estimate: 168h > Remaining Estimate: 168h > > It is possible for an attacker to directly steal user session information by > having a user visit or load a URL using Knox, as cookies are forwarded in the > header on the outbound request. This behavior doesn't seem to serve any > particular function either, as the endpoint Knox tries to contact shouldn't > need any authentication by Knox. We suggest that user-Knox cookies should be > omitted from the outbound request. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (KNOX-2234) Omitting cookie from outbound request header
[ https://issues.apache.org/jira/browse/KNOX-2234?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] James Chen updated KNOX-2234: - Attachment: cookiepatch.patch > Omitting cookie from outbound request header > > > Key: KNOX-2234 > URL: https://issues.apache.org/jira/browse/KNOX-2234 > Project: Apache Knox > Issue Type: Improvement >Affects Versions: 1.2.0, 1.3.0 >Reporter: James Chen >Priority: Minor > Labels: easy-fix > Attachments: KNOX-2234.patch > > Original Estimate: 168h > Remaining Estimate: 168h > > It is possible for an attacker to directly steal user session information by > having a user visit or load a URL using Knox, as cookies are forwarded in the > header on the outbound request. This behavior doesn't seem to serve any > particular function either, as the endpoint Knox tries to contact shouldn't > need any authentication by Knox. We suggest that user-Knox cookies should be > omitted from the outbound request. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (KNOX-2234) Omitting cookie from outbound request header
[ https://issues.apache.org/jira/browse/KNOX-2234?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] James Chen updated KNOX-2234: - Attachment: KNOX-2234.patch > Omitting cookie from outbound request header > > > Key: KNOX-2234 > URL: https://issues.apache.org/jira/browse/KNOX-2234 > Project: Apache Knox > Issue Type: Improvement >Affects Versions: 1.2.0, 1.3.0 >Reporter: James Chen >Priority: Minor > Labels: easy-fix > Attachments: KNOX-2234.patch > > Original Estimate: 168h > Remaining Estimate: 168h > > It is possible for an attacker to directly steal user session information by > having a user visit or load a URL using Knox, as cookies are forwarded in the > header on the outbound request. This behavior doesn't seem to serve any > particular function either, as the endpoint Knox tries to contact shouldn't > need any authentication by Knox. We suggest that user-Knox cookies should be > omitted from the outbound request. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (KNOX-2234) Omitting cookie from outbound request header
[ https://issues.apache.org/jira/browse/KNOX-2234?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] James Chen updated KNOX-2234: - Attachment: (was: cookiepatch.patch) > Omitting cookie from outbound request header > > > Key: KNOX-2234 > URL: https://issues.apache.org/jira/browse/KNOX-2234 > Project: Apache Knox > Issue Type: Improvement >Affects Versions: 1.2.0, 1.3.0 >Reporter: James Chen >Priority: Minor > Labels: easy-fix > Attachments: KNOX-2234.patch > > Original Estimate: 168h > Remaining Estimate: 168h > > It is possible for an attacker to directly steal user session information by > having a user visit or load a URL using Knox, as cookies are forwarded in the > header on the outbound request. This behavior doesn't seem to serve any > particular function either, as the endpoint Knox tries to contact shouldn't > need any authentication by Knox. We suggest that user-Knox cookies should be > omitted from the outbound request. -- This message was sent by Atlassian Jira (v8.3.4#803005)
