Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set Secure Attribute on Session Cookie #6912

Closed
stanenbaum-va opened this issue Dec 4, 2023 · 4 comments · Fixed by #6930
Closed

Set Secure Attribute on Session Cookie #6912

stanenbaum-va opened this issue Dec 4, 2023 · 4 comments · Fixed by #6930
Assignees
@jmazzitelli
Labels
backlog Triaged Issue added to backlog enhancement This is the preferred way to describe new end-to-end features.

Comments

@stanenbaum-va
Copy link

WASA scans reveal a low security finding when Kiali is served over HTTPS due to the kiali-token-aes only having HTTPOnly, without the Secure attribute.
@stanenbaum-va stanenbaum-va added the enhancement This is the preferred way to describe new end-to-end features. label Dec 4, 2023
@jshaughn
Copy link
Collaborator

jshaughn commented Dec 4, 2023

See #6907 for more on what is being requested here.

@jmazzitelli
Copy link
Collaborator

Here's the three locations where this enhancement will probably need to touch:

@jmazzitelli
Copy link
Collaborator

jmazzitelli commented Dec 6, 2023
edited

And here is a brief overview of why this is being asked. https://resources.infosecinstitute.com/topics/general-security/securing-cookies-httponly-secure-flags

Note: Because Kiali's endpoint can be configured to use http only (as opposed to https) we'll want to be able to have the cookie sent over http. Thus the Secure flag should be set on the cookie only if Kiali's endpoint is specifically configured for https; it should not be set when Kiali's endpoint is configured for http.

@jmazzitelli jmazzitelli self-assigned this Dec 6, 2023
@jmazzitelli jmazzitelli added the backlog Triaged Issue added to backlog label Dec 6, 2023
jmazzitelli added a commit to jmazzitelli/kiali that referenced this issue Dec 6, 2023
@jmazzitelli
set the Secure flag on auth cookies when appropriate
e3f8017 
fixes: kiali#6912
@jmazzitelli jmazzitelli mentioned this issue Dec 6, 2023
Merged
jmazzitelli added a commit to jmazzitelli/kiali that referenced this issue Dec 6, 2023
@jmazzitelli
set the Secure flag on auth cookies when appropriate
a4d14c0 
fixes: kiali#6912
@jmazzitelli
Copy link
Collaborator

This has been implemented - #6930 - that PR is just waiting on review; if that happens in the next day or two, this might get into the upcoming release.

jmazzitelli added a commit to jmazzitelli/kiali that referenced this issue Dec 7, 2023
@jmazzitelli
set the Secure flag on auth cookies when appropriate
b1f9873 
fixes: kiali#6912
jmazzitelli added a commit that referenced this issue Dec 8, 2023
@jmazzitelli
set the Secure flag on auth cookies when appropriate (#6930)
4491ed2 
* set the Secure flag on auth cookies when appropriate
fixes: #6912

* rename IsServerHttps to IsServerHTTPS

* if server itself isn't using https, check to see if the proxy in front does

* fix some tests
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jmazzitelli jmazzitelli

Labels
backlog Triaged Issue added to backlog enhancement This is the preferred way to describe new end-to-end features.
Projects
Kiali Sprint 24-5 | Kiali 1.84
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

set the Secure flag on auth cookies when appropriate jmazzitelli/kiali
3 participants
@jmazzitelli @jshaughn @stanenbaum-va