cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rohit Yadav (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-8505) Don't allow non-POST http requests on default login request
Date Wed, 05 Oct 2016 12:07:20 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-8505?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15548518#comment-15548518
] 

Rohit Yadav commented on CLOUDSTACK-8505:
-----------------------------------------

[~jburwell] [~pdion] this was a reported security issue on security@ (search for a thread
-- regarding security issue noticed by QA recenlty in Cloudstack(4.6)). The parameters are
not sent as parameters on the URL but as args in the HTTP post request. This was done as a
general security measure.

Earlier, the UI used apikey/secretkey from the url itself to make api requests, this caused
UI in another tab in the same browser to logout. We also introduced several security enhancement
such as use of httponly and secure cookie etc. The current login is based on secure cookies,
so when used over SSL -- the login information is not part of the login url/request, similarly
api/secret or session keys are returned by a success login as part of the cookies set by the
server. This allows for users to open the UI in multiple tabs without getting logged out.

> Don't allow non-POST http requests on default login request
> -----------------------------------------------------------
>
>                 Key: CLOUDSTACK-8505
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8505
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>            Reporter: Rohit Yadav
>            Assignee: Rohit Yadav
>             Fix For: 4.5.2, 4.6.0
>
>
> Disallow requests that are not POST requests.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message