Bug 1142728

Summary: Cookie Attributes - Secure flag
Product: Red Hat Enterprise Virtualization Manager Reporter: Shubhendu Tripathi <shtripat>
Component: ovirt-engineAssignee: Alexander Wels <awels>
Status: CLOSED CURRENTRELEASE QA Contact: movciari
Severity: high Docs Contact:
Priority: unspecified    
Version: 3.5.0CC: awels, gklein, lpeer, pstehlik, rbalakri, Rhev-m-bugs, srevivo, vszocs, ykaul
Target Milestone: ovirt-3.6.0-rc   
Target Release: 3.6.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-04-20 01:26:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: UX RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1105490, 1230064    

Description Shubhendu Tripathi 2014-09-17 09:50:58 UTC 
Description:
Cookies without Secure flag is allowed to be transmitted through an unencrypted channel which makes it susceptible to sniffing.

Affected cookies:
All of the cookies.Advice: Use the Secure flag when generating a cookie.

References:
CWE-614 - http://cwe.mitre.org/data/definitions/614.html
Comment 9 movciari 2015-09-29 07:00:46 UTC 
JSESSIONID and rh_sso cookies now have secure flag
locale doesn't have secure flag, but that seems reasonable, so this is verified