[OFBIZ-12252] Session id `externalLoginKey' should not be included in URL - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Information Provided
Affects Version/s: None
Fix Version/s: None
Component/s: None
Labels:
None

Description

When changing between different OFBiz apps, session id `externalLoginKey' will be inserted into URL as a query string. But sensitive info like that should not be included in URL if we concerning about security, as it will be exposed in following scenarios:

1. It will be recorded in browser history
2. It will be recorded in web server access log
3. It will be sent to other servers in Referer header

Anyone get this key can log into OFBiz without authentication, until that key expired.

See following discussion for more info:

https://stackoverflow.com/questions/7351225/passing-session-identifier-as-a-query-string-parameter

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Xin Wang

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 05/Jun/21 14:50

Updated:: 06/Jun/21 07:37

Resolved:: 06/Jun/21 07:37