[
https://issues.apache.org/jira/browse/OFBIZ-12252?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17357911#comment-17357911 ]
Jacques Le Roux edited comment on OFBIZ-12252 at 6/5/21, 6:29 PM:
------------------------------------------------------------------
Hi Wang,
You can use Tomcat SSO instead. Look for security.login.tomcat.sso in security.properties file. If it's OK w/ you please close as "Information provided", TIA
was (Author: jacques.le.roux):
Hi Want,
You can use Tomcat SSO instead. Look for security.login.tomcat.sso in security.properties file. If it's OK w/ you please close as "Information provided", TIA
> Session id `externalLoginKey' should not be included in URL
> -----------------------------------------------------------
>
> Key: OFBIZ-12252
> URL:
https://issues.apache.org/jira/browse/OFBIZ-12252> Project: OFBiz
> Issue Type: Bug
> Reporter: Xin Wang
> Priority: Major
>
> When changing between different OFBiz apps, session id `externalLoginKey' will be inserted into URL as a query string. But sensitive info like that should not be included in URL if we concerning about security, as it will be exposed in following scenarios:
> 1. It will be recorded in browser history
> 2. It will be recorded in web server access log
> 3. It will be sent to other servers in Referer header
> Anyone get this key can log into OFBiz without authentication, until that key expired.
> See following discussion for more info:
>
https://stackoverflow.com/questions/7351225/passing-session-identifier-as-a-query-string-parameter--
This message was sent by Atlassian Jira
(v8.3.4#803005)
Locked
