Horizon does not set Secure Attribute in cookies
---

### Summary ###
Horizon does not, by default, set the Secure Attribute in cookies.

### Affected Services / Software ###
Horizon, Django, SSL, TLS

### Discussion ###
When used in production, Horizon should have the Secure Attribute for
cookies set. When this flag is set, browsers will only transfer the
cookie over secure channels. Without it set, browsers may transfer the
cookie over plain-text channels, potentially exposing the contents to an
attacker who can then use the cookie to authenticate with the Horizon
server as the original user.

### Recommended Actions ###
Enable secure cookie by setting the SESSION_COOKIE_SECURE config flag to
true as described in the Django documentation:

  https://docs.djangoproject.com/en/dev/ref/settings/#std:setting-SESSION_COOKIE_SECURE

### Contacts / References ###
Author: Robert Clark, HP
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0036
Related OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0035
Original LaunchPad Bug : https://bugs.launchpad.net/horizon/+bug/1191051
OpenStack Security ML : openstack-security@lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg