You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@wookie.apache.org by "Scott Wilson (JIRA)" <ji...@apache.org> on 2014/03/04 14:12:22 UTC

[jira] [Updated] (WOOKIE-426) Provide a single-use token rather than a session token in widget URLs

     [ https://issues.apache.org/jira/browse/WOOKIE-426?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Scott Wilson updated WOOKIE-426:
--------------------------------

    Fix Version/s: 2.0.0

> Provide a single-use token rather than a session token in widget URLs
> ---------------------------------------------------------------------
>
>                 Key: WOOKIE-426
>                 URL: https://issues.apache.org/jira/browse/WOOKIE-426
>             Project: Wookie
>          Issue Type: Improvement
>          Components: Server
>    Affects Versions: 2.0.0
>            Reporter: Scott Wilson
>            Assignee: Scott Wilson
>              Labels: security
>             Fix For: 2.0.0
>
>
> When a connector asks for a widget to display, Wookie returns a url with an "idkey" parameter in the querystring for the application to use in constructing an iFrame. This idkey is used to authenticate requests by the widget for its metadata and preferences.
> However, we could instead supply a single-use token that is used when the widget is rendered to request a new token from Wookie to use for all subsequent requests.
> This means that anyone extracting the token from the URL would not be able to hijack the widget's session as it would no longer be valid.



--
This message was sent by Atlassian JIRA
(v6.2#6252)