[
https://issues.apache.org/jira/browse/OFBIZ-12252?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17358030#comment-17358030 ]
Jacques Le Roux commented on OFBIZ-12252:
-----------------------------------------
Hi Wang,
Tomcat SSO was put in with OFBIZ-10047. [There was an objection from Michael about the cluster case|
https://issues.apache.org/jira/browse/OFBIZ-10047?focusedCommentId=16295131&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16295131].
I looked at it and [this was my final answer|
https://issues.apache.org/jira/secure/EditComment!default.jspa?id=13124002&commentId=16296572]
So it's possible to make it work in a cluster but needs more work...
> Session id `externalLoginKey' should not be included in URL
> -----------------------------------------------------------
>
> Key: OFBIZ-12252
> URL:
https://issues.apache.org/jira/browse/OFBIZ-12252> Project: OFBiz
> Issue Type: Bug
> Reporter: Xin Wang
> Priority: Major
>
> When changing between different OFBiz apps, session id `externalLoginKey' will be inserted into URL as a query string. But sensitive info like that should not be included in URL if we concerning about security, as it will be exposed in following scenarios:
> 1. It will be recorded in browser history
> 2. It will be recorded in web server access log
> 3. It will be sent to other servers in Referer header
> Anyone get this key can log into OFBiz without authentication, until that key expired.
> See following discussion for more info:
>
https://stackoverflow.com/questions/7351225/passing-session-identifier-as-a-query-string-parameter--
This message was sent by Atlassian Jira
(v8.3.4#803005)
Locked
