You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "Jacques Le Roux (Jira)" <ji...@apache.org> on 2021/06/05 18:30:00 UTC
[jira] [Comment Edited] (OFBIZ-12252) Session id `externalLoginKey'
should not be included in URL
[ https://issues.apache.org/jira/browse/OFBIZ-12252?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17357911#comment-17357911 ]
Jacques Le Roux edited comment on OFBIZ-12252 at 6/5/21, 6:29 PM:
------------------------------------------------------------------
Hi Wang,
You can use Tomcat SSO instead. Look for security.login.tomcat.sso in security.properties file. If it's OK w/ you please close as "Information provided", TIA
was (Author: jacques.le.roux):
Hi Want,
You can use Tomcat SSO instead. Look for security.login.tomcat.sso in security.properties file. If it's OK w/ you please close as "Information provided", TIA
> Session id `externalLoginKey' should not be included in URL
> -----------------------------------------------------------
>
> Key: OFBIZ-12252
> URL: https://issues.apache.org/jira/browse/OFBIZ-12252
> Project: OFBiz
> Issue Type: Bug
> Reporter: Xin Wang
> Priority: Major
>
> When changing between different OFBiz apps, session id `externalLoginKey' will be inserted into URL as a query string. But sensitive info like that should not be included in URL if we concerning about security, as it will be exposed in following scenarios:
> 1. It will be recorded in browser history
> 2. It will be recorded in web server access log
> 3. It will be sent to other servers in Referer header
> Anyone get this key can log into OFBiz without authentication, until that key expired.
> See following discussion for more info:
> https://stackoverflow.com/questions/7351225/passing-session-identifier-as-a-query-string-parameter
--
This message was sent by Atlassian Jira
(v8.3.4#803005)