Hi All
After a previous post helped me to resolve an issue:
https://forum.mibuso.com/discussion/68152/how-to-clear-single-sign-on-credentials
I was reminded by a colleague of a security issue with the WebClient. We've seen that if you start a session with one user, you can copy the cookies etc from their IE temp files and drop them into your own temp files and carry on as the other user without re-authenticating.
We raised this with Microsoft and they didn't accept this as an issue, as users shouldn't be able access these files from another user.... OK, it's a valid point but it doesn't stop it being a security flaw.
So on realising that when using AccessControlService shared credentials, I'm concerned that I could copy the IE temp files and put them on my machine, then NAV would just load as the other user without prompting me for any credentials.
So before I have to make a local system just to test this, I was hoping that someone had already confirmed this? Also if it is an issue, I'm sure you'd all like to know.
Regards
Ben
After a previous post helped me to resolve an issue:
https://forum.mibuso.com/discussion/68152/how-to-clear-single-sign-on-credentials
I was reminded by a colleague of a security issue with the WebClient. We've seen that if you start a session with one user, you can copy the cookies etc from their IE temp files and drop them into your own temp files and carry on as the other user without re-authenticating.
We raised this with Microsoft and they didn't accept this as an issue, as users shouldn't be able access these files from another user.... OK, it's a valid point but it doesn't stop it being a security flaw.
So on realising that when using AccessControlService shared credentials, I'm concerned that I could copy the IE temp files and put them on my machine, then NAV would just load as the other user without prompting me for any credentials.
So before I have to make a local system just to test this, I was hoping that someone had already confirmed this? Also if it is an issue, I'm sure you'd all like to know.
Regards
Ben