Improve cookie security #2759

alexec · 2020-04-20T15:41:52Z

After investigating SSO, I think we need to improve this:

Remove display the cookie from the login page.
Set-up flags, []string{"path=/", "SameSite=lax", "httpOnly"} but not Secure.

@alexmt why does Argo CD use "lax" not "strict"?

OSWAP

This is probably the most secure configuration we have for
now:
Set-Cookie: __Host-SessionID=3h93...;Path=/;Secure;HttpOnly;SameSite=Strict

The text was updated successfully, but these errors were encountered:

alexec · 2020-04-20T15:47:45Z

@jannfis @alexmt FYI

alexec · 2020-04-20T15:53:07Z

ok, we don't currently need to set path, because we set the cookie client side in javascript

alexec added type/bug type/security Security related labels Apr 20, 2020

alexec added a commit to alexec/argo-workflows that referenced this issue Apr 20, 2020

fix: Improve cookie security. Fixes argoproj#2759

bbace9d

alexec linked a pull request Apr 20, 2020 that will close this issue

fix: Improve cookie security. Fixes #2759 #2763

Merged

6 tasks

alexec closed this as completed in #2763 Apr 20, 2020

alexec added a commit that referenced this issue Apr 20, 2020

fix: Improve cookie security. Fixes #2759 (#2763)

a6fa3f7

simster7 pushed a commit that referenced this issue Apr 20, 2020

fix: Improve cookie security. Fixes #2759 (#2763)

ee10796

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Improve cookie security #2759

Improve cookie security #2759

alexec commented Apr 20, 2020

alexec commented Apr 20, 2020

alexec commented Apr 20, 2020

Improve cookie security #2759

Improve cookie security #2759

Comments

alexec commented Apr 20, 2020

alexec commented Apr 20, 2020

alexec commented Apr 20, 2020