Scott Wilson created WOOKIE-426:
-----------------------------------
Summary: Provide a single-use token rather than a session token in
widget URLs
Key: WOOKIE-426
URL: https://issues.apache.org/jira/browse/WOOKIE-426
Project: Wookie
Issue Type: Improvement
Components: Server
Affects Versions: 2.0.0
Reporter: Scott Wilson
Assignee: Scott Wilson
When a connector asks for a widget to display, Wookie returns a url with an
"idkey" parameter in the querystring for the application to use in constructing
an iFrame. This idkey is used to authenticate requests by the widget for its
metadata and preferences.
However, we could instead supply a single-use token that is used when the
widget is rendered to request a new token from Wookie to use for all subsequent
requests.
This means that anyone extracting the token from the URL would not be able to
hijack the widget's session as it would no longer be valid.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
