[
https://issues.apache.org/jira/browse/WOOKIE-426?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Scott Wilson updated WOOKIE-426:
--------------------------------
Fix Version/s: 2.0.0
> Provide a single-use token rather than a session token in widget URLs
> ---------------------------------------------------------------------
>
> Key: WOOKIE-426
> URL: https://issues.apache.org/jira/browse/WOOKIE-426
> Project: Wookie
> Issue Type: Improvement
> Components: Server
> Affects Versions: 2.0.0
> Reporter: Scott Wilson
> Assignee: Scott Wilson
> Labels: security
> Fix For: 2.0.0
>
>
> When a connector asks for a widget to display, Wookie returns a url with an
> "idkey" parameter in the querystring for the application to use in
> constructing an iFrame. This idkey is used to authenticate requests by the
> widget for its metadata and preferences.
> However, we could instead supply a single-use token that is used when the
> widget is rendered to request a new token from Wookie to use for all
> subsequent requests.
> This means that anyone extracting the token from the URL would not be able to
> hijack the widget's session as it would no longer be valid.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
