pcsoft.us.windevCopyright 2026, PC SOFT15 May 2017 14:05:00 Z11 May 2017 15:12:00 ZAfter one scan of one webdev application we encounter the following problem: If we copy the URL of one dynamic page send it by emails to another PC and use it the other user can see the data. Anyone manage to solve this issue in the dynamic webdev sites? Result of the scan: Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy or caching servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed between users. This can also allow for the disclosure of the session token to a third party via the Referrer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker. A compromise would allow an attacker unauthenticated access to a valid user's session, placing the application user's personal information at risk as well as increasing the likelihood of loss of integrity and confidentiality within the application. Session tokens hardcoded into the HTML for access to other locations can enable an attacker to impersonate the application regardless of the user and gain access to application functionality or information that usually requires a license.30WEBDEVen_UShttps://forum.pcsoft.fr/es-ES/pcsoft.us.windev/60827-dynamic-webdev-site-and-session-hijacking/read.awpmoderateur@pcsoft.fr (El moderador)webmaster@pcsoft.fr (El webmaster)guestpcsoft.us.windevhttps://forum.pcsoft.fr/es-ES/pcsoft.us.windev/60827-dynamic-webdev-site-and-session-hijacking-60877/read.awp15 May 2017 14:05:00 ZHi Mr. Black, The exact scenario (as stated above) is excellently described here. Quote Microsoft asp.net Cross-site req…https://forum.pcsoft.fr/es-ES/pcsoft.us.windev/60827-dynamic-webdev-site-and-session-hijacking-60877/read.awphttps://forum.pcsoft.fr/es-ES/pcsoft.us.windev/60827-dynamic-webdev-site-and-session-hijacking-60877/read.awp[WB] - Dynamic webdev site and session Hijackingguestpcsoft.us.windevhttps://forum.pcsoft.fr/es-ES/pcsoft.us.windev/60827-dynamic-webdev-site-and-session-hijacking-60875/read.awp15 May 2017 12:36:00 Zhi Paulo, I'm confused also. I thought a dynamic page with automatic session management option (AWP unchecked) placed the ses…https://forum.pcsoft.fr/es-ES/pcsoft.us.windev/60827-dynamic-webdev-site-and-session-hijacking-60875/read.awphttps://forum.pcsoft.fr/es-ES/pcsoft.us.windev/60827-dynamic-webdev-site-and-session-hijacking-60875/read.awp[WB] - Dynamic webdev site and session Hijackingguestpcsoft.us.windevhttps://forum.pcsoft.fr/es-ES/pcsoft.us.windev/60827-dynamic-webdev-site-and-session-hijacking-60873/read.awp15 May 2017 11:06:00 ZHi Paolo, You could also use NetMachineName() to identify the workstation. Kind regards, Piethttps://forum.pcsoft.fr/es-ES/pcsoft.us.windev/60827-dynamic-webdev-site-and-session-hijacking-60873/read.awphttps://forum.pcsoft.fr/es-ES/pcsoft.us.windev/60827-dynamic-webdev-site-and-session-hijacking-60873/read.awp[WB] - Dynamic webdev site and session Hijackingpvsoftwarepcsoft.us.windevhttps://forum.pcsoft.fr/es-ES/pcsoft.us.windev/60827-dynamic-webdev-site-and-session-hijacking-60845/read.awp12 May 2017 13:14:12 ZI have a login page, when closing this page I use the contextclose resource, in my case this problem does not occur that you are…https://forum.pcsoft.fr/es-ES/pcsoft.us.windev/60827-dynamic-webdev-site-and-session-hijacking-60845/read.awphttps://forum.pcsoft.fr/es-ES/pcsoft.us.windev/60827-dynamic-webdev-site-and-session-hijacking-60845/read.awp[WB] - Dynamic webdev site and session Hijackingguestpcsoft.us.windevhttps://forum.pcsoft.fr/es-ES/pcsoft.us.windev/60827-dynamic-webdev-site-and-session-hijacking-60834/read.awp11 May 2017 19:29:00 ZOne possible solution I'm thinking about would be: 1. Store the value of CurrentPage in one global variable in the first page o…https://forum.pcsoft.fr/es-ES/pcsoft.us.windev/60827-dynamic-webdev-site-and-session-hijacking-60834/read.awphttps://forum.pcsoft.fr/es-ES/pcsoft.us.windev/60827-dynamic-webdev-site-and-session-hijacking-60834/read.awp[WB] - Dynamic webdev site and session Hijackingguestpcsoft.us.windevhttps://forum.pcsoft.fr/es-ES/pcsoft.us.windev/60827-dynamic-webdev-site-and-session-hijacking-60833/read.awp11 May 2017 16:53:00 ZFabrice, I'm using the method you describe in point 1 but the app scan still reports the error. I can't use method 2 because…https://forum.pcsoft.fr/es-ES/pcsoft.us.windev/60827-dynamic-webdev-site-and-session-hijacking-60833/read.awphttps://forum.pcsoft.fr/es-ES/pcsoft.us.windev/60827-dynamic-webdev-site-and-session-hijacking-60833/read.awp[WB] - Dynamic webdev site and session Hijackingguestpcsoft.us.windevhttps://forum.pcsoft.fr/es-ES/pcsoft.us.windev/60827-dynamic-webdev-site-and-session-hijacking-60832/read.awp11 May 2017 16:27:00 ZHi Paulo, To give you an idea, you can read all about security and anti-forgery (session hijacking) and how it is implemented…https://forum.pcsoft.fr/es-ES/pcsoft.us.windev/60827-dynamic-webdev-site-and-session-hijacking-60832/read.awphttps://forum.pcsoft.fr/es-ES/pcsoft.us.windev/60827-dynamic-webdev-site-and-session-hijacking-60832/read.awp[WB] - Dynamic webdev site and session Hijackingguestpcsoft.us.windevhttps://forum.pcsoft.fr/es-ES/pcsoft.us.windev/60827-dynamic-webdev-site-and-session-hijacking-60831/read.awp11 May 2017 16:24:00 ZHi Paulo, there are several solutions to solve this problem... They all bog down to identifying the COMPUTER using the sessio…https://forum.pcsoft.fr/es-ES/pcsoft.us.windev/60827-dynamic-webdev-site-and-session-hijacking-60831/read.awphttps://forum.pcsoft.fr/es-ES/pcsoft.us.windev/60827-dynamic-webdev-site-and-session-hijacking-60831/read.awp[WB] - Dynamic webdev site and session Hijackingguestpcsoft.us.windevhttps://forum.pcsoft.fr/es-ES/pcsoft.us.windev/60827-dynamic-webdev-site-and-session-hijacking-60828/read.awp11 May 2017 15:56:00 ZHi Piet, Using the same app installed in the same server and tested with several clients sometimes i get the same result as y…https://forum.pcsoft.fr/es-ES/pcsoft.us.windev/60827-dynamic-webdev-site-and-session-hijacking-60828/read.awphttps://forum.pcsoft.fr/es-ES/pcsoft.us.windev/60827-dynamic-webdev-site-and-session-hijacking-60828/read.awp[WB] - Dynamic webdev site and session Hijackingguestpcsoft.us.windevhttps://forum.pcsoft.fr/es-ES/pcsoft.us.windev/60827-dynamic-webdev-site-and-session-hijacking-60830/read.awp11 May 2017 15:33:00 ZHi Paolo, If I copy and paste an url, I always get "The session does not exist anymore". Kind regards, Piethttps://forum.pcsoft.fr/es-ES/pcsoft.us.windev/60827-dynamic-webdev-site-and-session-hijacking-60830/read.awphttps://forum.pcsoft.fr/es-ES/pcsoft.us.windev/60827-dynamic-webdev-site-and-session-hijacking-60830/read.awp[WB] - Dynamic webdev site and session Hijacking