You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "Larry McCay (Jira)" <ji...@apache.org> on 2020/02/13 23:52:00 UTC
[jira] [Commented] (KNOX-2234) Omitting cookie from outbound
request header
[ https://issues.apache.org/jira/browse/KNOX-2234?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17036591#comment-17036591 ]
Larry McCay commented on KNOX-2234:
-----------------------------------
[~jameschen1519] - this seems likely to break many applications that are proxied by Knox that require their own session cookies.
Think about Ambari, Ranger, Atlas, Cloudera Manager and maybe Zeppelin.
Am I missing something?
> Omitting cookie from outbound request header
> --------------------------------------------
>
> Key: KNOX-2234
> URL: https://issues.apache.org/jira/browse/KNOX-2234
> Project: Apache Knox
> Issue Type: Improvement
> Affects Versions: 1.2.0, 1.3.0
> Reporter: James Chen
> Priority: Minor
> Labels: easy-fix
> Attachments: KNOX-2234.patch
>
> Original Estimate: 168h
> Remaining Estimate: 168h
>
> It is possible for an attacker to directly steal user session information by having a user visit or load a URL using Knox, as cookies are forwarded in the header on the outbound request. This behavior doesn't seem to serve any particular function either, as the endpoint Knox tries to contact shouldn't need any authentication by Knox. We suggest that user-Knox cookies should be omitted from the outbound request.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)