Bug 1368525
Summary: | Secure cookie sent over plain HTTP when insecureEdgeTerminationPolicy allows both TLS and non-TLS | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Josep 'Pep' Turro Mauri <pep> |
Component: | Networking | Assignee: | Maru Newby <mnewby> |
Networking sub component: | router | QA Contact: | zhaozhanqi <zzhao> |
Status: | CLOSED ERRATA | Docs Contact: | |
Severity: | medium | ||
Priority: | medium | CC: | aos-bugs, bbennett, bmeng, eparis, erich, mnewby, tdawson |
Version: | 3.2.0 | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
Cause: When an edge-terminated Route had insecureEdgeTerminationPolicy set to Allow — meaning that the Route could be accessed by both http and https — the inserted session cookie was always flagged as Secure.
Consequence: When a client connected over http the secure cookie would be dropped, breaking session persistence.
Fix: Cookies for edge-terminated routes that allow insecure connections are set to be non-secure.
Result: Session persistence for such routes is maintained.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2016-09-27 09:45:14 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Josep 'Pep' Turro Mauri
2016-08-19 16:12:33 UTC
Checked on OSE build v3.3.0.24 Issue has been fixed. [user1@ose-master ~]$ oc get route NAME HOST/PORT PATH SERVICES PORT TERMINATION secured-edge-route test-edge.example.com service-unsecure <all> edge/Allow [user1@ose-master ~]$ curl --resolve test-edge.example.com:443:10.66.141.94 https://test-edge.example.com/ -ksi | grep -i cookie Set-Cookie: 856b4156ac0b95c408838f12ef7f9606=d32a4671f8f41f0d1a12fb20d80891a2; path=/; HttpOnly [user1@ose-master ~]$ curl --resolve test-edge.example.com:80:10.66.141.94 http://test-edge.example.com/ -ksi | grep -i cookie Set-Cookie: 856b4156ac0b95c408838f12ef7f9606=558525a7a02b24756fb18f087aab7be6; path=/; HttpOnly Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:1933 |