Marcher Technologies Posted September 18, 2011 Share Posted September 18, 2011 Simple suggestion to tighten security. Say a member posts a url with a session id in it(happens too often here). Say another member has subscribed for email notification of that topic. An edit(if even done) is too late... the emails already either queud to send or Sent. Is it not viable to "sniff" the post for session id links and remove the url session id bit? Link to comment Share on other sites More sharing options...
Marcher Technologies Posted September 18, 2011 Author Share Posted September 18, 2011 this is only truly relevant for acp links... as a note... while could be labeled unintended user behavior... it Happens. Link to comment Share on other sites More sharing options...
bfarber Posted September 19, 2011 Share Posted September 19, 2011 Can you point out the specific emails where this happens? In 9/10 cases when we build an email, we use the board_url variable and manually build the full url, or we if we are building a FURL we use "publicNoSession" to ensure no session is added to the URL emailed to everyone. If any emails are including a URL, I would consider that a bug, but would need to know specifically which emails are a problem. Link to comment Share on other sites More sharing options...
Marcher Technologies Posted September 19, 2011 Author Share Posted September 19, 2011 Can you point out the specific emails where this happens? In 9/10 cases when we build an email, we use the board_url variable and manually build the full url, or we if we are building a FURL we use "publicNoSession" to ensure no session is added to the URL emailed to everyone. If any emails are including a URL, I would consider that a bug, but would need to know specifically which emails are a problem. as the email itself contains the session hotlink to acp, i have pmed it directly to you rather than place it in open. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.