Invision Community 4: SEO, prepare for v5 and dormant account notifications Matt November 11, 2024Nov 11
Posted September 18, 201113 yr Simple suggestion to tighten security. Say a member posts a url with a session id in it(happens too often here). Say another member has subscribed for email notification of that topic. An edit(if even done) is too late... the emails already either queud to send or Sent. Is it not viable to "sniff" the post for session id links and remove the url session id bit?
September 18, 201113 yr Author this is only truly relevant for acp links... as a note... while could be labeled unintended user behavior... it Happens.
September 19, 201113 yr Can you point out the specific emails where this happens? In 9/10 cases when we build an email, we use the board_url variable and manually build the full url, or we if we are building a FURL we use "publicNoSession" to ensure no session is added to the URL emailed to everyone. If any emails are including a URL, I would consider that a bug, but would need to know specifically which emails are a problem.
September 19, 201113 yr Author Can you point out the specific emails where this happens? In 9/10 cases when we build an email, we use the board_url variable and manually build the full url, or we if we are building a FURL we use "publicNoSession" to ensure no session is added to the URL emailed to everyone. If any emails are including a URL, I would consider that a bug, but would need to know specifically which emails are a problem. as the email itself contains the session hotlink to acp, i have pmed it directly to you rather than place it in open.
Archived
This topic is now archived and is closed to further replies.