[
https://issues.apache.org/jira/browse/HADOOP-12049?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14592825#comment-14592825
]
Haohui Mai commented on HADOOP-12049:
-------------------------------------
[~benoyantony], just in case you missed my questions:
https://issues.apache.org/jira/browse/HADOOP-12049?focusedCommentId=14591086&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-14591086
I'm wondering whether making the behavior configurable can justify the risks of
misconfiguration? Should we just restrict all cookies to be session cookies?
It looks like the value of making the behavior configurable is fairly marginal
in terms of security and performance, but at the same time the configuration of
the authentication filters will become more convoluted.
> Control http authentication cookie persistence via configuration
> ----------------------------------------------------------------
>
> Key: HADOOP-12049
> URL: https://issues.apache.org/jira/browse/HADOOP-12049
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 3.0.0
> Reporter: Benoy Antony
> Assignee: hzlu
> Labels: patch
> Fix For: 3.0.0
>
> Attachments: HADOOP-12049.001.patch, HADOOP-12049.003.patch,
> HADOOP-12049.005.patch
>
>
> During http authentication, a cookie is dropped. This is a persistent cookie.
> The cookie is valid across browser sessions.
> For clusters which require enhanced security, it is desirable to have a
> session cookie so that cookie gets deleted when the user closes browser
> session.
> It should be possible to specify cookie persistence (session or persistent)
> via configuration
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
