Tres Posted October 28, 2016 Share Posted October 28, 2016 I'm using IPS Connect, connecting between my existing php website and lPS Platform, and while implementing the Cross Login to accept the cross login call, I think I found a little security problem. So, if what I know is right(please tell me if I'm wrong), you will set login session values when you receive a cross login request. But there's a chance that the user might catch the URL for cross logins while they redirect, which can be abused very easily. Like, if you change the 'id' parameter, the user will be able to login with other ids right away. I think there's a big chance I might have understood the whole concept of IPS Connect wrongly, so please let me know which part is wrong. Link to comment Share on other sites More sharing options...
MADMAN32395 Posted October 28, 2016 Share Posted October 28, 2016 Have you been able to capture this URL yourself and make a full proof of concept? I don't think it works that way. Link to comment Share on other sites More sharing options...
Tres Posted October 28, 2016 Author Share Posted October 28, 2016 Yes I did. I pushed esc key by mistake during the redirects and could see the whole URL! When internet connection is bad/server is unstable, you may stay longer than you thought in the blank page during redirect. It's not an HTTP request, but a chain of redirects when it's cross login. Link to comment Share on other sites More sharing options...
MADMAN32395 Posted October 28, 2016 Share Posted October 28, 2016 Is this based off of ips setup notes or incorrect setup on site admin side? Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.