[NeverSleep] WARNING - This component has a major security flaw

[NeverSleep] WARNING - This component has a major security flaw

  
Forge Component
(4)
Published on 2017-09-19 by Raphael Ranieri
4 votes
Published on 2017-09-19 by Raphael Ranieri

This component automatically logs in a user in your End-Users user-space.

This can provide unwanted access to your applications.

Hi Ricardo,

could you please be more specific ?

Accessing any page in this component will run the OnSessionStart action.

This action automatically creates and logs in a user on the Users end-user pool.

You can use the session information from this to manipulate your session cookie and therefore be logged in in any other application using the Users User Provider (which is the default for end-user applications).

yes i can get this as threat. But again i guess this is a developer thing while developing application.

Hello,

Ricardo is right!


This tool is still under testing and is intended to developers that can't let the PE fell sleep.


In future if it works, I pretend to change the User Provider of this application in order to have a individual provider.