Royce Williams wrote, on 5/20/2010 8:43 AM:
>> The other danger is if a secure web site using this method links to an
>> off-site page. The referrer will contain your user and pass. This is
>> really worrying as this is a security "hole" that I remember hearing
>> talked about *YEARS* ago. It's really sad to see the AK IT department
>> using something like this.
State of Alaska folks: sorry, guys - false alarm.
AKLUGers, take a closer look at the URL (I've broken it out by params):
https://palm.state.ak.us/amserver/UI/Login
?Login.Token1=USERNAMEHERE
&Login.Token2=PASSWORDHERE
&goto=https://myalaska.state.ak.us/home
&gotoOnFail=https://myalaska.state.ak.us/home/app
'palm' appears to be a centralized auth server, so its URLs are only
briefly in play. The only server that would receive the referring URL
from palm would be myalaska ... and by the time you're done logging in,
no outlinks would have access to the original password-containing URL.
Royce
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Thu May 20 08:53:02 2010
This archive was generated by hypermail 2.1.8 : Thu May 20 2010 - 08:53:02 AKDT