You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by Madhukar Bhosale <bh...@gmail.com> on 2020/05/19 08:25:24 UTC
Session Token in URL
Hi,
It has been observed that Sensitive information within URLs is getting logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.
Is there any alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.
Regards
Madhukar Bhosale
Re: Session Token in URL
Posted by gabriel sztejnworcel <ga...@gmail.com>.
Hi,
In response to what Mike said regarding setting headers in WebSocket
connections, why not use cookies? If you set a cookie after login, it will
be sent with the WebSocket connection request.
Thanks,
Gabriel
On Wed, May 20, 2020, 7:21 AM sciUser <sh...@securitycentric.net> wrote:
> If you like to see it , you can go to https://academy.securitycentric.net
> create an account and I will add a demo for you and you can see how we
> forge
> the connections. We force the token to expire on exit and a new token to be
> issued for a new session.
>
>
>
>
>
> -----
> A Cybersecurity Enablement Company
> We don't just run you through the motions, Our labs teach you how to
> think!
> Known good Guacamole installations
>
> --
> Sent from:
> http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
> For additional commands, e-mail: user-help@guacamole.apache.org
>
>
Re: Session Token in URL
Posted by sciUser <sh...@securitycentric.net>.
If you like to see it , you can go to https://academy.securitycentric.net
create an account and I will add a demo for you and you can see how we forge
the connections. We force the token to expire on exit and a new token to be
issued for a new session.
-----
A Cybersecurity Enablement Company
We don't just run you through the motions, Our labs teach you how to think!
Known good Guacamole installations
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: Session Token in URL
Posted by Mike Jumper <mj...@apache.org>.
On Tue, May 19, 2020, 13:46 Joachim Lindenberg <jo...@lindenberg.one>
wrote:
> Is logging really a concern if you use https and avoid any proxy that
> terminates (MitM)? Of course you can argue about the nginx or similar you
> put in front of Guacamole, but if both components are administrated by the
> same folks you know whom to trust or fire anyway..
>
Indeed, it's not that significant a concern, just valid one. It is
generally accepted as a bad practice. If possible to avoid, we should do so.
I created an issue for this in JIRA a few months ago, and have been doing
some occasional work in that regard:
https://issues.apache.org/jira/browse/GUACAMOLE-956
- Mike
AW: Session Token in URL
Posted by Joachim Lindenberg <jo...@lindenberg.one>.
Is logging really a concern if you use https and avoid any proxy that terminates (MitM)? Of course you can argue about the nginx or similar you put in front of Guacamole, but if both components are administrated by the same folks you know whom to trust or fire anyway..
Regards, Joachim
Von: Mike Jumper <mj...@apache.org>
Gesendet: Dienstag, 19. Mai 2020 21:06
An: user@guacamole.apache.org
Betreff: Re: Session Token in URL
On Tue, May 19, 2020, 11:52 sciUser <shulbert@securitycentric.net <ma...@securitycentric.net> > wrote:
What you want is what we do, we built a provisioning system that handles Just
In time (JIT) tokens and they expire after session is terminated, preventing
students from book marking the url.
The token is not part of any URL exposed to the user in that way. It's part of REST requests made internally by JavaScript. You're not going to bookmark or see a session token unless you go out of your way to do so and open up dev tools.
The concern that a token may be inadvertently logged by a proxy is a valid one, though, and we should look into changes to the REST services that would allow the token to be provided through a header. I think the main difficulty there would be with WebSocket, which lacks an API for setting headers.
- Mike
Re: Session Token in URL
Posted by Mike Jumper <mj...@apache.org>.
On Tue, May 19, 2020, 11:52 sciUser <sh...@securitycentric.net> wrote:
> What you want is what we do, we built a provisioning system that handles
> Just
> In time (JIT) tokens and they expire after session is terminated,
> preventing
> students from book marking the url.
>
The token is not part of any URL exposed to the user in that way. It's part
of REST requests made internally by JavaScript. You're not going to
bookmark or see a session token unless you go out of your way to do so and
open up dev tools.
The concern that a token may be inadvertently logged by a proxy is a valid
one, though, and we should look into changes to the REST services that
would allow the token to be provided through a header. I think the main
difficulty there would be with WebSocket, which lacks an API for setting
headers.
- Mike
Re: Session Token in URL
Posted by sciUser <sh...@securitycentric.net>.
What you want is what we do, we built a provisioning system that handles Just
In time (JIT) tokens and they expire after session is terminated, preventing
students from book marking the url. This is using the POST action with
Tomcat. Search for my posts in this forum and you will find your solution.
-----
A Cybersecurity Enablement Company
We don't just run you through the motions, Our labs teach you how to think!
Known good Guacamole installations
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org