Session ID reflected in AJAX request to portal
Concerned version
Version: 2.0.14
Summary
When logged into the portal, an AJAX request to https://auth.example.com/ with Content-Type: application/json
will return the session id
Logs
$.ajax({url : "/", dataType: "json", success: function(data) {console.log(data)}});
Object { id: "3b4c4993cdb9b711ea6795774072caf6983961141bc205aaf016ae2500037a27", result: 1, error: "0" }
Possible fixes
This is by design, see #1711 (closed), how ever it causes security issues: a XSS will expose the session ID even if httpOnly is true.
This behavior should be disabled by default, while keeping compatibility with t/25-AuthSlave-with-Credentials.t
Made private because of the security context, but probably low impact
Edited by Maxime Besson