[ https://issues.apache.org/jira/browse/OFBIZ-12252?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Xin Wang closed OFBIZ-12252. ---------------------------- Resolution: Information Provided > Session id `externalLoginKey' should not be included in URL > ----------------------------------------------------------- > > Key: OFBIZ-12252 > URL: https://issues.apache.org/jira/browse/OFBIZ-12252 > Project: OFBiz > Issue Type: Bug > Reporter: Xin Wang > Priority: Major > > When changing between different OFBiz apps, session id `externalLoginKey' > will be inserted into URL as a query string. But sensitive info like that > should not be included in URL if we concerning about security, as it will be > exposed in following scenarios: > 1. It will be recorded in browser history > 2. It will be recorded in web server access log > 3. It will be sent to other servers in Referer header > Anyone get this key can log into OFBiz without authentication, until that key > expired. > See following discussion for more info: > https://stackoverflow.com/questions/7351225/passing-session-identifier-as-a-query-string-parameter -- This message was sent by Atlassian Jira (v8.3.4#803005)