1142728 – Cookie Attributes - Secure flag

Bug 1142728 - Cookie Attributes - Secure flag

Summary: Cookie Attributes - Secure flag

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	ovirt-engine
Sub Component:
Version:	3.5.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	ovirt-3.6.0-rc
Target Release:	3.6.0
Assignee:	Alexander Wels
QA Contact:	movciari
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1105490 1230064
TreeView+	depends on / blocked

Reported:	2014-09-17 09:50 UTC by Shubhendu Tripathi
Modified:	2016-04-20 01:26 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-04-20 01:26:21 UTC
oVirt Team:	UX
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
oVirt gerrit	33981	0	master	MERGED	restapi,userportal,webadmin: secure cookie	Never

Description Shubhendu Tripathi 2014-09-17 09:50:58 UTC

Description:
Cookies without Secure flag is allowed to be transmitted through an unencrypted channel which makes it susceptible to sniffing.

Affected cookies:
All of the cookies.Advice: Use the Secure flag when generating a cookie.

References:
CWE-614 - http://cwe.mitre.org/data/definitions/614.html

Comment 9 movciari 2015-09-29 07:00:46 UTC

JSESSIONID and rh_sso cookies now have secure flag
locale doesn't have secure flag, but that seems reasonable, so this is verified

Note You need to log in before you can comment on or make changes to this bug.