guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Jumper <mjum...@apache.org>
Subject Re: [SECURITY] CVE-2018-1340: Secure flag missing from Apache Guacamole session cookie
Date Sun, 27 Jan 2019 01:37:29 GMT
On Sat, Jan 26, 2019 at 5:26 PM <DMoscovitch@simard.ca> wrote:
>
> Would that mean if the server, if accessable only by https://guacamole.domain.com/something/
> and http was blocked. it would be ok? in this case?
>

Yes.

There would only be a danger of the session token being intercepted if
unencrypted HTTP requests were made to guacamole.domain.com while the
Guacamole session was valid (the user was still logged in). There is
no such danger if all requests to your domain are encrypted.

- Mike

Mime
View raw message