You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jetspeed-user@portals.apache.org by Brad Straw <bk...@netscape.net> on 2003/01/21 06:50:55 UTC

Jetspeed url question

With the current functionality of jetspeed displaying the userid as a component of the url, I was wondering if anyone has considered that in and of itself a security weakness.  With common two-factor authentication (userid and password), 50% of this security barrier is disclosed fairly quickly and available to anyone interested in "social engineering" or even minor shoulder surfing.  Of course, the context of this discussion assumes that some confidential information is being used or stored in the portal.

Interestingly enough, Yahoo shows the userid in the window caption bar and Netscape shows user ids in the url.  It would appear, however, that Netscape is showing an internally generated id for the user (maybe actually the primary key in the user table?.

Any thoughts or comments?

Brad

__________________________________________________________________
The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/download.jsp 

Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>