Jim Sirikolkarn Posted June 22, 2023 Share Posted June 22, 2023 UniGui Application somtime send session id in GET http request. For example in Demo/Desktop/Grid-ActionColumn/gaction.dproj when app start, in Chrome Network Tab will see: http://localhost:8077/HandleEvent?IsEvent=1&Obj=O13&Evt=data&_S_ID=uBPn5su9LR10CD0C5AA&_dc=1687432446596&options=1&page=1&start=0&limit=25 I got comment from my user that this could have security problem, they recommend that session id should be in POST body instead. I also notice that almost all "HandleEvent" are using POST except some using GET like this one. I guess that it may come from UniDBGrid. Please advice what can be a solution for this problem. Thanks, Jim Sirikolakarn Quote Link to comment Share on other sites More sharing options...
Skyp Posted August 21, 2023 Share Posted August 21, 2023 On 6/22/2023 at 2:29 PM, Jim Sirikolkarn said: UniGui Application somtime send session id in GET http request. For example in Demo/Desktop/Grid-ActionColumn/gaction.dproj when app start, in Chrome Network Tab will see: http://localhost:8077/HandleEvent?IsEvent=1&Obj=O13&Evt=data&_S_ID=uBPn5su9LR10CD0C5AA&_dc=1687432446596&options=1&page=1&start=0&limit=25 I got comment from my user that this could have security problem, they recommend that session id should be in POST body instead. I also notice that almost all "HandleEvent" are using POST except some using GET like this one. I guess that it may come from UniDBGrid. Please advice what can be a solution for this problem. Thanks, Jim Sirikolakarn Good afternoon. The client also has an id in cookies, the body of POST requests is also easy to see (any sniffer or browser (dev tool on client))... I wonder which specific security case will allow you to use the session id? How do you propose to maintain a session without having an unambiguous identifier on the client side ? You can additionally implement OpenID .. example: https://github.com/fernandolamp/DelphiKeycloak and js and periodically use refreshtoken, but this will create an additional load. (At the moment we use this method). Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.