[
https://issues.apache.org/jira/browse/OFBIZ-12252?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17358032#comment-17358032 ]
Xin Wang commented on OFBIZ-12252:
----------------------------------
Hi Jacques,
Thank you for your detailed explanation!
As related issues have been fully discussed, I will close this one.
Thanks!
> Session id `externalLoginKey' should not be included in URL
> -----------------------------------------------------------
>
> Key: OFBIZ-12252
> URL:
https://issues.apache.org/jira/browse/OFBIZ-12252> Project: OFBiz
> Issue Type: Bug
> Reporter: Xin Wang
> Priority: Major
>
> When changing between different OFBiz apps, session id `externalLoginKey' will be inserted into URL as a query string. But sensitive info like that should not be included in URL if we concerning about security, as it will be exposed in following scenarios:
> 1. It will be recorded in browser history
> 2. It will be recorded in web server access log
> 3. It will be sent to other servers in Referer header
> Anyone get this key can log into OFBiz without authentication, until that key expired.
> See following discussion for more info:
>
https://stackoverflow.com/questions/7351225/passing-session-identifier-as-a-query-string-parameter--
This message was sent by Atlassian Jira
(v8.3.4#803005)
Locked
