UniGui Security Problem

[Jim Sirikolkarn]

UniGui Application somtime send session id in GET http request.

For example in Demo/Desktop/Grid-ActionColumn/gaction.dproj  when app start, in Chrome Network Tab will see:

http://localhost:8077/HandleEvent?IsEvent=1&Obj=O13&Evt=data&_S_ID=uBPn5su9LR10CD0C5AA&_dc=1687432446596&options=1&page=1&start=0&limit=25

I got comment from my user that this could have security problem, they recommend that session id should be in POST body instead.

I also notice that almost all "HandleEvent" are using POST except some using GET like this one. I guess that it may come from UniDBGrid.

 

Please advice what can be a solution for this problem.

 

Thanks,

Jim Sirikolakarn

[Skyp]

On 6/22/2023 at 2:29 PM, Jim Sirikolkarn said:

UniGui Application somtime send session id in GET http request.

For example in Demo/Desktop/Grid-ActionColumn/gaction.dproj  when app start, in Chrome Network Tab will see:

http://localhost:8077/HandleEvent?IsEvent=1&Obj=O13&Evt=data&_S_ID=uBPn5su9LR10CD0C5AA&_dc=1687432446596&options=1&page=1&start=0&limit=25

I got comment from my user that this could have security problem, they recommend that session id should be in POST body instead.

I also notice that almost all "HandleEvent" are using POST except some using GET like this one. I guess that it may come from UniDBGrid.

 

Please advice what can be a solution for this problem.

 

Thanks,

Jim Sirikolakarn

Good afternoon.

The client also has an id in cookies, the body of POST requests is also easy to see (any sniffer or browser (dev tool on client))...

I wonder which specific security case will allow you to use the session id?

 

How do you propose to maintain a session without having an unambiguous identifier on the client side ?

You can additionally implement OpenID .. example:

https://github.com/fernandolamp/DelphiKeycloak and js

and periodically use  refreshtoken, but this will create an additional load. (At the moment we use this method).