You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@solr.apache.org by "Shawn Heisey (Jira)" <ji...@apache.org> on 2021/03/11 18:09:00 UTC

[jira] [Commented] (SOLR-15248) Remove login autocomplete

    [ https://issues.apache.org/jira/browse/SOLR-15248?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17299777#comment-17299777 ] 

Shawn Heisey commented on SOLR-15248:
-------------------------------------

I don't see any problem with this change.  But the fact that you are worried about this tells me you have some security problems that Solr cannot address.

The only way that an unauthorized user could even see previous usernames is if they have access to your systems they should not have.

That autocomplete data is saved by the browser, not Solr.  So if you have somebody unauthorized seeing usernames, they have to have access to the same browser under the same client OS user account that was used by the authorized user. If unauthorized users have that kind of access, it's a really big security issue.

> Remove login autocomplete
> -------------------------
>
>                 Key: SOLR-15248
>                 URL: https://issues.apache.org/jira/browse/SOLR-15248
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>            Reporter: Lillie Hammer
>            Priority: Minor
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> Remove autocomplete which currently allows you to see who had logged in previously. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)