Jump to content

IPSConnect Cross Login.. Security problems...?


Tres

Recommended Posts

I'm using IPS Connect, connecting between my existing php website and lPS Platform, and while implementing the Cross Login to accept the cross login call, I think I found a little security problem.

 

So, if what I know is right(please tell me if I'm wrong), you will set login session values when you receive a cross login request.

But there's a chance that the user might catch the URL for cross logins while they redirect, which can be abused very easily.

Like, if you change the 'id' parameter, the user will be able to login with other ids right away.

 

I think there's a big chance I might have understood the whole concept of IPS Connect wrongly, 

so please let me know which part is wrong.

Link to comment
Share on other sites

Yes I did. I pushed esc key by mistake during the redirects and could see the whole URL! When internet connection is bad/server is unstable, you may stay longer than you thought in the blank page during redirect. It's not an HTTP request, but a chain of redirects when it's cross login.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...