Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Linux based App Service caching cookies when CORS is enabled from Azure Portal #128

Open
vijaysaayi opened this issue Dec 2, 2019 · 3 comments

Comments

@vijaysaayi
Copy link

@vijaysaayi vijaysaayi commented Dec 2, 2019

Issue :
Linux based App Service caching cookies when CORS is enabled from Azure Portal.

Current Status:
Our Engineering Team is working on the fix for this issue.

I shall update this issue once we have more updates.

@jcbaey

This comment has been minimized.

Copy link

@jcbaey jcbaey commented Dec 5, 2019

Details to reproduce the vulnerability: https://github.com/jcbaey/azurewebsites-cookie

@ConnorMcMahon

This comment has been minimized.

Copy link

@ConnorMcMahon ConnorMcMahon commented Dec 6, 2019

The implementation of the Authentication/Authorization and CORS features for Azure App Service on Linux make use of a reverse proxy in order to make modifications to incoming requests and outgoing responses. For cookies set by customer code without specified domains and not marked as Secure, the reverse proxy layer would cache the cookies, meaning that cookies set for one browser session could be seen across other browser sessions.

We are currently in the process of rolling out the fix. For customer's who don't want to wait, we have a work around of applying the fix manually. Simply set the app setting WEBSITE_CUSTOM_MIDDLEWARE_VERSION=1912022226. Note that if the VM does not already have this image installed, there may be an impact on cold start.

Our next update regarding the fix deployment status will be at 12/6/2019 11AM PST.

@ConnorMcMahon

This comment has been minimized.

Copy link

@ConnorMcMahon ConnorMcMahon commented Dec 7, 2019

Update @ 2019-12-11 22:55 UTC

The update will be rolling out globally over the next week and a half.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
You can’t perform that action at this time.