You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "James Chen (Jira)" <ji...@apache.org> on 2020/02/14 00:24:00 UTC

[jira] [Comment Edited] (KNOX-2234) Omitting cookie from outbound request header

    [ https://issues.apache.org/jira/browse/KNOX-2234?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17036601#comment-17036601 ] 

James Chen edited comment on KNOX-2234 at 2/14/20 12:23 AM:
------------------------------------------------------------

I'm admittedly not familiar with the logistics of how the session cookies work relative to those applications, but the change adds "Cookie" to REQUEST_EXCLUDE_HEADERS. This is a set of headers that should not be copied from the inbound request to the outbound request. Are the session cookies only between Knox and the application, or is there client involvement in generating these cookies? I feel that, if it's the former, this should be safe; if it's the latter, though, I can see how that can cause problems. Would you happen to have more knowledge on this?


was (Author: jameschen1519):
I'm admittedly not too familiar with the logistics of how the session cookies work relative to those applications, but the change adds "Cookie" to REQUEST_EXCLUDE_HEADERS. This is a set of headers that should not be copied from the inbound request to the outbound request. Are the session cookies only between Knox and the application, or is there client involvement in generating these cookies? I feel that, if it's the former, this should be safe; if it's the latter, though, I can see how that can cause problems. Would you happen to have more knowledge on this?

> Omitting cookie from outbound request header
> --------------------------------------------
>
>                 Key: KNOX-2234
>                 URL: https://issues.apache.org/jira/browse/KNOX-2234
>             Project: Apache Knox
>          Issue Type: Improvement
>    Affects Versions: 1.2.0, 1.3.0
>            Reporter: James Chen
>            Priority: Minor
>              Labels: easy-fix
>         Attachments: KNOX-2234.patch
>
>   Original Estimate: 168h
>  Remaining Estimate: 168h
>
> It is possible for an attacker to directly steal user session information by having a user visit or load a URL using Knox, as cookies are forwarded in the header on the outbound request. This behavior doesn't seem to serve any particular function either, as the endpoint Knox tries to contact shouldn't need any authentication by Knox. We suggest that user-Knox cookies should be omitted from the outbound request.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)