Announcement

Collapse
No announcement yet.

Release 6.20.0: New parameters for login requests for more secure sessions

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Release 6.20.0: New parameters for login requests for more secure sessions

    The action redirect of the login servlet takes a one time token and redirects the user then to his session. Unfortunately we discover errors in the infrastructure around Open-Xchange that causes those one time tokens to be sent to the wrong clients. So wrong clients get redirected into some users session. The action redirect rewrites IP and User-Agent in the session, so this is possible.

    All login methods must be extended so if servers in the infrastructure around Open-Xchange want to create a session instead of the client itself the client IP address and the client's User-Agent can be specified.

    The following requests are extended with those parameters:
    - the action login of the login servlet,
    - the action formLogin of the login servlet,
    - the HTTP auth of the login servlet and
    - the easylogin request of the EasyLogin servlet.

    The following new parameters are introduced to the above mentioned requests:
    - clientIP (optional) ? IP address of the client host for that the session is created. If this parameter is not specified the IP address of the HTTP client doing this request is used.
    - clientUserAgent (optional) ? Value of the User-Agent header of the client host for that the session is created. If this parameter is not specified the User-Agent of the current HTTP client doing this request is used.
Working...
X