[jira] [Commented] (GUACAMOLE-1818) Auth token as a parameter in "websocket-tunnel" request

["Mike Jumper (Jira)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/GUACAMOLE-1818?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17735936#comment-17735936 ] 

Mike Jumper commented on GUACAMOLE-1818:
----------------------------------------

This is intentional, as:

* WebSocket does not provide a mechanism for sending secrets prior to establishing the full WebSocket connection
* The general consensus on use of authentication tokens in web application requests is that the same concerns do not apply to WebSocket as may apply to HTTP.

See the comments on: GUACAMOLE-956

Doing otherwise would involve submitting some sort of nonce in lieu of a token, still as part of the URL (not impossible but definitely more complex).

> Auth token as a parameter in "websocket-tunnel" request
> -------------------------------------------------------
>
>                 Key: GUACAMOLE-1818
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1818
>             Project: Guacamole
>          Issue Type: Bug
>          Components: guacamole, guacamole-client
>    Affects Versions: 1.5.2, 1.5.1
>            Reporter: Benjamin
>            Priority: Major
>
> The following HTTP requests example generated by Guacamole client contains authentication service tokens via URL query parameters, which could be leaked from server log files, “Referer header” of HTTP request, etc. 
> Example:
> GET /workstation/websocket-tunnel?token=<token>&GUAC_DATA_SOURCE=postgresql&GUAC_ID=1&GUAC_TYPE=c&GUAC_WIDTH=1920&GUAC_HEIGHT=1081&GUAC_DPI=96&GUAC_TIMEZONE=Europe%2FBerlin&GUAC_AUDIO=audio%2FL8&GUAC_AUDIO=audio%2FL16&GUAC_IMAGE=image%2Fjpeg&GUAC_IMAGE=image%2Fpng&GUAC_IMAGE=image%2Fwebp
> I was able to verify this for both 1.5.2 and 1.5.1, older releases are probably also affected by this.
> This is similar to: GUACAMOLE-1775



--
This message was sent by Atlassian Jira
(v8.20.10#820010)