[
https://issues.apache.org/jira/browse/OFBIZ-12252?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17357998#comment-17357998 ]
Xin Wang edited comment on OFBIZ-12252 at 6/5/21, 11:39 PM:
------------------------------------------------------------
Hi Jacques,
Thank you for pointing to Tomcat SSO, that helps!
BTW, regarding to the security issues of `externalLoginKey', I think it should be turned off by default. (I'm aware that currently Tomcat SSO is not supported in cluster mode, but users can turn on `externalLoginKey' in cluster mode if they fully aware of those security issues.)
was (Author: dram):
Hi Jacques,
Thank you for pointing to Tomcat SSO, that helps!
BTW, regarding to the security issues of `externalLoginKey', I think it should be turned off by default. (I'm aware that currently Tomcat SSO is not supported in cluster mode, but users can turn on it in cluster mode if they fully aware of those security issues.)
> Session id `externalLoginKey' should not be included in URL
> -----------------------------------------------------------
>
> Key: OFBIZ-12252
> URL:
https://issues.apache.org/jira/browse/OFBIZ-12252> Project: OFBiz
> Issue Type: Bug
> Reporter: Xin Wang
> Priority: Major
>
> When changing between different OFBiz apps, session id `externalLoginKey' will be inserted into URL as a query string. But sensitive info like that should not be included in URL if we concerning about security, as it will be exposed in following scenarios:
> 1. It will be recorded in browser history
> 2. It will be recorded in web server access log
> 3. It will be sent to other servers in Referer header
> Anyone get this key can log into OFBiz without authentication, until that key expired.
> See following discussion for more info:
>
https://stackoverflow.com/questions/7351225/passing-session-identifier-as-a-query-string-parameter--
This message was sent by Atlassian Jira
(v8.3.4#803005)
Locked
