You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This ticket describes an issue that may or may not be relevant in present browser environments.
Boxoffice currently generates random URLs that buyers can share with attendees to fill out attendee details. These URLs do not require any authentication. This may be a problem if the browser's history is vulnerable to hijack by (say) a malicious browser extension. (Previously, HTTP sniffing by network intermediaries was also a risk.)
This can be mitigated somewhat by using a two-part URL, in the form of .../ticket_id/secret. When this URL is requested, the server sets a HttpOnly cookie with the contents of the secret and redirects the browser (301? 302? 303?) to a new URL that doesn't include the secret: .../ticket_id. This second URL checks for the presence of the secret in the cookie before allowing the page to be rendered.
By doing this, URLs cannot be reloaded from browser history once the cookie expires. They can only be reloaded by using the original link. The original link is never seen by JavaScript, protecting it from malicious browser extensions.
The text was updated successfully, but these errors were encountered:
This ticket describes an issue that may or may not be relevant in present browser environments.
Boxoffice currently generates random URLs that buyers can share with attendees to fill out attendee details. These URLs do not require any authentication. This may be a problem if the browser's history is vulnerable to hijack by (say) a malicious browser extension. (Previously, HTTP sniffing by network intermediaries was also a risk.)
This can be mitigated somewhat by using a two-part URL, in the form of
.../ticket_id/secret. When this URL is requested, the server sets a HttpOnly cookie with the contents of the secret and redirects the browser (301? 302? 303?) to a new URL that doesn't include the secret:.../ticket_id. This second URL checks for the presence of the secret in the cookie before allowing the page to be rendered.By doing this, URLs cannot be reloaded from browser history once the cookie expires. They can only be reloaded by using the original link. The original link is never seen by JavaScript, protecting it from malicious browser extensions.
The text was updated successfully, but these errors were encountered: