noVNC contains the session token in URL and insecurely sets the session cookie

Solution Unverified - Updated -


  • Red Hat Open Stack


  • The VNC Console connection in Nova works by having the user connect to the API which returns a URL such as: Where the token has a TTL which is then used to create a session from a WebSocket. However, URL's should not contain sensitive information such as session tokens with a TTL since URL's can be leaked through proxy logs or other types of attacks such as Cross-Site Scripting. Additionally, due to the session cookie being set with JavaScript it cannot securely be set to HttpOnly nor is it set with the Secure flag making it further susceptible to Cross-Site Scripting attacks or leakage through a non-SSL connection.

  • HTTP GET requests for novncproxy contain security-sensitive date


  • Engineering team is already working on this issue. For details please contact Red Hat Support.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.