We are using SmartGWT Power 6.0 with Realtime Messaging. While doing security tests we found that possibly sensitive values were being passed in URL requests. Specifically the session
cookie was being sent. For example, the URL is
[FONT=arial, helvetica, sans-serif]Request URL:[/FONT]
[FONT=arial, helvetica, sans-serif]http://.../sc/messaging?ts=1494265095122&isc_noLog=1&type=connect&connectionID=isc_HiddenFrame_0&subscribedChannels=%7B%0A%20%20%20%20%2235CEB310FD9249E360FD10C8AADBBFED%22%3A%7B%0A%20%20%20%20%20%20%20%20subscriptionCallback%3Anull%0A%20%20%20%20%7D%0A%7D&eventStream=true[/FONT]
[FONT=arial, helvetica, sans-serif]and the request header contains:[/FONT]
[FONT=arial, helvetica, sans-serif]Cookie:[/FONT]
[FONT=arial, helvetica, sans-serif]JSESSIONID=35CEB310FD9249E360FD10C8AADBBFED[/FONT]
Is there anything that can be done to prevent this?
Thanks,
Ken
cookie was being sent. For example, the URL is
[FONT=arial, helvetica, sans-serif]Request URL:[/FONT]
[FONT=arial, helvetica, sans-serif]http://.../sc/messaging?ts=1494265095122&isc_noLog=1&type=connect&connectionID=isc_HiddenFrame_0&subscribedChannels=%7B%0A%20%20%20%20%2235CEB310FD9249E360FD10C8AADBBFED%22%3A%7B%0A%20%20%20%20%20%20%20%20subscriptionCallback%3Anull%0A%20%20%20%20%7D%0A%7D&eventStream=true[/FONT]
[FONT=arial, helvetica, sans-serif]and the request header contains:[/FONT]
[FONT=arial, helvetica, sans-serif]Cookie:[/FONT]
[FONT=arial, helvetica, sans-serif]JSESSIONID=35CEB310FD9249E360FD10C8AADBBFED[/FONT]
Is there anything that can be done to prevent this?
Thanks,
Ken
Comment