hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dilli Arumugam (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-10379) Protect authentication cookies with the HttpOnly and Secure flags
Date Tue, 04 Mar 2014 01:28:22 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-10379?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13918892#comment-13918892
] 

Dilli Arumugam commented on HADOOP-10379:
-----------------------------------------

Code review comment:

comment 1:

Context:
+    SessionManager sm = webAppContext.getSessionHandler().getSessionManager();
+    if (sm instanceof AbstractSessionManager) {
+      AbstractSessionManager asm = (AbstractSessionManager)sm;
+      asm.setHttpOnly(true);
+      asm.setSecureCookies(true);
+    }
+

Would this flag JSESSIONID secure even if the the server is listening on HTTP (not HTTPS)?

comment 2:

Would it be better to have specific configuration properties, at least for hadoop.auth cookie,
like the following:

<property>
  <name>hadoop.http.authentication.cookie.secure</name>
  <value>false</value>
  <description>
  Should the authentication cookie should be flagged as secure?
  </description>
</property>

<property>
  <name>hadoop.http.authentication.cookie.httponly</name>
  <value>false</value>
  <description>
  Should the authentication cookie should be flagged as HttpOnly?
  </description>
</property>

The idea is backward compatibility with enough switches to secure the system.



> Protect authentication cookies with the HttpOnly and Secure flags
> -----------------------------------------------------------------
>
>                 Key: HADOOP-10379
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10379
>             Project: Hadoop Common
>          Issue Type: Improvement
>            Reporter: Haohui Mai
>            Assignee: Haohui Mai
>         Attachments: HADOOP-10379.000.patch
>
>
> Browser vendors have adopted proposals to enhance the security of HTTP cookies. For example,
the server can mark a cookie as {{Secure}} so that it will not be transfer via plain-text
HTTP protocol, and the server can mark a cookie as {{HttpOnly}} to prohibit the JavaScript
to access that cookie.
> This jira proposes to adopt these flags in Hadoop to protect the HTTP cookie used for
authentication purposes.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message