Github user asfgit closed the pull request at:
https://github.com/apache/cloudstack/pull/308
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is
Github user rsafonseca commented on the pull request:
https://github.com/apache/cloudstack/pull/308#issuecomment-110293689
@vadimkim are you building the latest version of this PR? I've removed the
initial host_ prefix on the cookies, since that was not the issue that led to
breaking
Github user vadimkim commented on the pull request:
https://github.com/apache/cloudstack/pull/308#issuecomment-110282737
@rsafonseca
I didn't get it. Don't have so deep knowledge about cookie manipulation.
If I open dev-tools at Chrome I can see only 1 cookie with name =
Github user rsafonseca commented on the pull request:
https://github.com/apache/cloudstack/pull/308#issuecomment-110268630
@vadimkim
I need to do some testing with this setup, which i'm afraid i might only
have time to do later this week or in the weekend. It generally easier to
Github user vadimkim commented on the pull request:
https://github.com/apache/cloudstack/pull/308#issuecomment-110271962
@rsafonseca
Can you help me to define the correct internal domain name? If I check
cookie at plain HTTP server (where it works) I see **domainid** field with
Github user rsafonseca commented on the pull request:
https://github.com/apache/cloudstack/pull/308#issuecomment-110275707
@vadimkim
The only cookie that is set by the server and needs to be rewritten is the
sessionkey cookie, all the others are created by the client and will
Github user vadimkim commented on the pull request:
https://github.com/apache/cloudstack/pull/308#issuecomment-110319573
@rsafonseca
I didn't apply this patch indeed. It requires JAVA class re-compilation and
I don't dare to make it directly at production. JS was not so critical
Github user vadimkim commented on the pull request:
https://github.com/apache/cloudstack/pull/308#issuecomment-110259230
@rsafonseca
I have added Set-Cookie and P3P lines into config. My $host variable
contains either kickcloud.net or www.kickcloud.net -- depends on request user
Github user vadimkim commented on the pull request:
https://github.com/apache/cloudstack/pull/308#issuecomment-109923828
I have recently implemented SSL proxy in front of CS. This way seems to be
more practical than deploying certificates directly into Tomcat. After such
Github user rsafonseca commented on the pull request:
https://github.com/apache/cloudstack/pull/308#issuecomment-109951692
Session persistence is not working on any scenario atm. The aim of this is
to fix that. The security measure is aimed to prevent browser vulnerability,
which
Github user vadimkim commented on the pull request:
https://github.com/apache/cloudstack/pull/308#issuecomment-110004148
@rsafonseca
Thank you for explanation. I will try to put my points here:
1. For public cloud HTTPS must be used (this is not an option) and external
SSL
Github user vadimkim commented on the pull request:
https://github.com/apache/cloudstack/pull/308#issuecomment-109960026
I have applied you patch manually and it worked for HTTP. I have expected
that if I put HTTPS proxy in front of it - it will continue to work. But at
HTTPS
Github user rsafonseca commented on the pull request:
https://github.com/apache/cloudstack/pull/308#issuecomment-109981697
@vadimkim
Let me try to break it down:
In the past, with the purpose of preventing a browser vulnerability,
session persistence was completely
Github user rsafonseca commented on the pull request:
https://github.com/apache/cloudstack/pull/308#issuecomment-110049806
@vadimkim
It seems like you're not passing to cookies over to the client on that
config :)
Try setting:
proxy_pass_header Set-Cookie;
Github user rsafonseca commented on the pull request:
https://github.com/apache/cloudstack/pull/308#issuecomment-110051983
About the redirect rule, i will soon bake a patch that will render that
unnecessary, but for now, there should be no problem with just rewriting it in
the proxy
Github user DaanHoogland commented on the pull request:
https://github.com/apache/cloudstack/pull/308#issuecomment-108844572
This merges cleanly, should we wait on extra fixes? or have them done in
separate PRs?
---
If your project is set up for it, you can reply to this email and
Github user rsafonseca commented on the pull request:
https://github.com/apache/cloudstack/pull/308#issuecomment-108577290
Hi @bhaisaab
Any news on testing it? If i misunderstood the problem you stated, can you
explain further or help fix as you suggested?
I'm sure a lot
Github user bhaisaab commented on the pull request:
https://github.com/apache/cloudstack/pull/308#issuecomment-106800322
Hi @rsafonseca thanks for the update and patch. It's a good idea to use
HTTPOnly flag on cookie to ensure we have the authentication going on and at
the same time
Github user rsafonseca commented on the pull request:
https://github.com/apache/cloudstack/pull/308#issuecomment-106818248
Hi Rohit, thank you for your view on this :)
Here's my comment on it:
1. No use on protecting the sessionkey from MITM attacks, as the
Github user bhaisaab commented on the pull request:
https://github.com/apache/cloudstack/pull/308#issuecomment-106906370
Hi @rsafonseca, thanks for replying.
- I agree, it's best to force and use SSL than use secure flag.
- Regarding point 3, what I mean to explain is that
Github user rsafonseca commented on the pull request:
https://github.com/apache/cloudstack/pull/308#issuecomment-106937060
Hi @bhaisaab
I don't think that is an issue :)
Whatever your login method, the cookie will always be set on the first
successful command and subsequent
Github user rsafonseca commented on the pull request:
https://github.com/apache/cloudstack/pull/308#issuecomment-105861689
I see that in the parent commit Jessica tried to fix security on the cookie
by setting httponly=true in tomcat's context .xml
This would be a sane thing to
Github user vadimkim commented on the pull request:
https://github.com/apache/cloudstack/pull/308#issuecomment-105861384
Have tested with 4.5.1 -- works good !
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your
Github user stephen-turner commented on the pull request:
https://github.com/apache/cloudstack/pull/308#issuecomment-105868482
As this changes behaviour which was aiming to fix a security problem, I've
referred it to the security mailing list.
---
If your project is set up for it,
Thanks for filling in the blanks Rajani!
--
Erik
On Wed, May 27, 2015 at 7:32 AM, Rajani Karuturi raj...@apache.org wrote:
On Wed, May 27, 2015 at 3:23 AM, Erik Weber terbol...@gmail.com wrote:
This is a perfect example of why we should use Jira for (almost all)
commits.
We know what
On Wed, May 27, 2015 at 3:23 AM, Erik Weber terbol...@gmail.com wrote:
This is a perfect example of why we should use Jira for (almost all)
commits.
We know what this commit does, but we have to guess why it was done this
way.
And we don't know how to reproduce the original issue.
It
Github user rsafonseca commented on the pull request:
https://github.com/apache/cloudstack/pull/308#issuecomment-105672476
@bhaisaab please take a look :)
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project
GitHub user rsafonseca opened a pull request:
https://github.com/apache/cloudstack/pull/308
Reinstate working sessions in browser
I've seen that session persistence stopped working due to
https://github.com/apache/cloudstack/commit/19e3c0168e744a76b5e1dc24a5eafa776d342404
From
Github user terbolous commented on a diff in the pull request:
https://github.com/apache/cloudstack/pull/308#discussion_r31083230
--- Diff: ui/scripts/cloudStack.js ---
@@ -329,7 +325,6 @@
g_regionsecondaryenabled = null;
This is a perfect example of why we should use Jira for (almost all)
commits.
We know what this commit does, but we have to guess why it was done this
way.
And we don't know how to reproduce the original issue.
It references what I believe to be an internal Citrix Jira/tracking#, so if
anyone
Github user rsafonseca commented on the pull request:
https://github.com/apache/cloudstack/pull/308#issuecomment-105682213
I searched around for that reference and found nothing useful, perhaps
@bhaisaab can shed some light, since it was signed off by him :)
If I understood
Github user rsafonseca commented on a diff in the pull request:
https://github.com/apache/cloudstack/pull/308#discussion_r31084802
--- Diff: ui/scripts/cloudStack.js ---
@@ -329,7 +325,6 @@
g_regionsecondaryenabled = null;
Github user bhaisaab commented on a diff in the pull request:
https://github.com/apache/cloudstack/pull/308#discussion_r31085151
--- Diff: ui/scripts/cloudStack.js ---
@@ -117,22 +117,15 @@
}
return cookieValue;
33 matches
Mail list logo
