[jira] [Commented] (OFBIZ-12252) Session id `externalLoginKey' should not be included in URL

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (OFBIZ-12252) Session id `externalLoginKey' should not be included in URL

Nicolas Malin (Jira)

    [ https://issues.apache.org/jira/browse/OFBIZ-12252?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17358032#comment-17358032 ]

Xin Wang commented on OFBIZ-12252:
----------------------------------

Hi Jacques,

Thank you for your detailed explanation!

As related issues have been fully discussed, I will close this one.

Thanks!

> Session id `externalLoginKey' should not be included in URL
> -----------------------------------------------------------
>
>                 Key: OFBIZ-12252
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12252
>             Project: OFBiz
>          Issue Type: Bug
>            Reporter: Xin Wang
>            Priority: Major
>
> When changing between different OFBiz apps, session id `externalLoginKey' will be inserted into URL as a query string. But sensitive info like that should not be included in URL if we concerning about security, as it will be exposed in following scenarios:
> 1. It will be recorded in browser history
> 2. It will be recorded in web server access log
> 3. It will be sent to other servers in Referer header
> Anyone get this key can log into OFBiz without authentication, until that key expired.
> See following discussion for more info:
> https://stackoverflow.com/questions/7351225/passing-session-identifier-as-a-query-string-parameter



--
This message was sent by Atlassian Jira
(v8.3.4#803005)