[jira] [Commented] (KNOX-2234) Omitting cookie from outbound request header

Thu, 13 Feb 2020 16:25:28 -0800 


    [ 
https://issues.apache.org/jira/browse/KNOX-2234?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17036602#comment-17036602
 ] 

Kevin Risden commented on KNOX-2234:
------------------------------------

Ok so need to take a step back here:

bq.  outbound request. 

Outbound request just to be super clear is from Knox to the backend service. 
This would be WebHDFS or whatever behind Knox.

bq. as the endpoint Knox tries to contact shouldn't need any authentication by 
Knox.

The entire point of Knox is to authenticate against the backend. So Knox -> 
backend definitely is authenticated. The cookies here are useful. Especially in 
the case of SPNEGO when cookies are used between Knox and the backend.

bq. We suggest that user-Knox cookies should be omitted from the outbound 
request.

What user session information could be stolen? Knox by default prevents 
outbound cookies going back to the client on the response. So even if the 
backend updates cookies these are not by default propagated to the original 
client.


If the backend server is compromised, you have bigger issues than Knox sending 
cookies to it. Its not just cookies but it could be other information. 
Preventing cookies to the backend is a weird thing to protect against.

> Omitting cookie from outbound request header
> --------------------------------------------
>
>                 Key: KNOX-2234
>                 URL: https://issues.apache.org/jira/browse/KNOX-2234
>             Project: Apache Knox
>          Issue Type: Improvement
>    Affects Versions: 1.2.0, 1.3.0
>            Reporter: James Chen
>            Priority: Minor
>              Labels: easy-fix
>         Attachments: KNOX-2234.patch
>
>   Original Estimate: 168h
>  Remaining Estimate: 168h
>
> It is possible for an attacker to directly steal user session information by 
> having a user visit or load a URL using Knox, as cookies are forwarded in the 
> header on the outbound request. This behavior doesn't seem to serve any 
> particular function either, as the endpoint Knox tries to contact shouldn't 
> need any authentication by Knox. We suggest that user-Knox cookies should be 
> omitted from the outbound request.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to