[jira] [Created] (OFBIZ-12252) Session id `externalLoginKey' should not be included in URL

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Created] (OFBIZ-12252) Session id `externalLoginKey' should not be included in URL

Nicolas Malin (Jira)
Xin Wang created OFBIZ-12252:
--------------------------------

             Summary: Session id `externalLoginKey' should not be included in URL
                 Key: OFBIZ-12252
                 URL: https://issues.apache.org/jira/browse/OFBIZ-12252
             Project: OFBiz
          Issue Type: Bug
            Reporter: Xin Wang


When changing between different OFBiz apps, session id `externalLoginKey' will be inserted into URL as a query string. But sensitive info like that should not be included in URL if we concerning about security, as it will be exposed in following scenarios:

1. It will be recorded in browser history
2. It will be recorded in web server access log
3. It will be sent to other servers in Referer header

Anyone get this key can log into OFBiz without authentication, until that key expired.

See following discussion for more info:

https://stackoverflow.com/questions/7351225/passing-session-identifier-as-a-query-string-parameter



--
This message was sent by Atlassian Jira
(v8.3.4#803005)