Re: [Openstack] Fwd: [Full-disclosure] [Django] Cookie-based session storage session invalidation issue

Mon, 07 Oct 2013 16:41:28 -0700 

Yes and No. They will appear to be logged in to Horizon, but the Keystone token 
will be invalid and thus they will be unable to obtain any data or perform any 
actions via the APIs. Since all of Horizon's data comes from APIs, this is a 
very limited problem space.

There are reasonably well-documented ways to mitigate this issue (HTTPS, HSTS, 
secure cookies, etc.) but cookie stealing is a problem that most web 
applications are subject to to some degree. I think we mitigate in a reasonable 
fashion.

Further suggestions are more than welcome!

    - Gabriel

> -----Original Message-----
> From: Jeffrey Walton [mailto:noloa...@gmail.com]
> Sent: Wednesday, October 02, 2013 1:53 AM
> To: openstack@lists.openstack.org
> Subject: [Openstack] Fwd: [Full-disclosure] [Django] Cookie-based session
> storage session invalidation issue
> 
> Not sure if this made anyone's radar....
> 
> ---------- Forwarded message ----------
> From: G. S. McNamara <m...@gsmcnamara.com>
> Date: Tue, Oct 1, 2013 at 4:20 PM
> Subject: [Full-disclosure] [Django] Cookie-based session storage session
> invalidation issue
> To: full-disclos...@lists.grok.org.uk
> 
> FD,
> 
> I’m back!
> 
> Django versions 1.4 – 1.7 offer a cookie-based session storage option (not
> the default this time) that is afflicted by the same issue I posted about
> previously concerning Ruby on Rails:
> 
> If you obtain a user’s cookie, even if they log out, you can still log in as 
> them.
> 
> The short write-up is here, if needed:
> http://maverickblogging.com/security-vulnerability-with-django-cookie-
> based-sessions/
> 
> Cheers,
> 
> G. S. McNamara
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack@lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Reply via email to