Jump to content

Sniff notification emails for sessions?


Recommended Posts

Simple suggestion to tighten security.
Say a member posts a url with a session id in it(happens too often here).
Say another member has subscribed for email notification of that topic.
An edit(if even done) is too late... the emails already either queud to send or Sent.
Is it not viable to "sniff" the post for session id links and remove the url session id bit?

Link to comment
Share on other sites

Can you point out the specific emails where this happens? In 9/10 cases when we build an email, we use the board_url variable and manually build the full url, or we if we are building a FURL we use "publicNoSession" to ensure no session is added to the URL emailed to everyone. If any emails are including a URL, I would consider that a bug, but would need to know specifically which emails are a problem.

Link to comment
Share on other sites


Can you point out the specific emails where this happens? In 9/10 cases when we build an email, we use the board_url variable and manually build the full url, or we if we are building a FURL we use "publicNoSession" to ensure no session is added to the URL emailed to everyone. If any emails are including a URL, I would consider that a bug, but would need to know specifically which emails are a problem.



as the email itself contains the session hotlink to acp, i have pmed it directly to you rather than place it in open.
Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...