[one-users] ONE 4.6.2 - passwords in URL
Paul Batchelor
pbatchelor at blackberry.com
Fri Jul 18 05:39:38 PDT 2014
Hi Paul,
One possible workaround would be to simply turn off the blanket compatibility mode setting for all intranet (local) sites and use the compatibility view sites group policy setting. (i.e. enabling compatibility mode only for those sites that specifically require it)
Cheers
From: Users [mailto:users-bounces at lists.opennebula.org] On Behalf Of Paul Reilly
Sent: 18 July 2014 12:24
To: users at lists.opennebula.org
Subject: [one-users] ONE 4.6.2 - passwords in URL
Hello,
I'm evaluating open nebula 4.6.2 in a university environment. Unfortunately some of our users use Internet Explorer 11 with compatibility mode enabled. They need this for other sites. When this is enabled, and they log in to Open Nebula, their username and password is passed in clear text in the URL, and is also saved in their browsing history, like this:
https://onetest.uni.edu/?username=joe&password=OpenSesame
We have LDAP authentication to active directory configured, so it's a security concern if their username and password is sent in clear text in the request URL.
Does anyone know why this happens, and how to fix it?
Thank you,
Paul[https://ssl.gstatic.com/ui/v1/icons/mail/images/cleardot.gif]
---------------------------------------------------------------------
BlackBerry UK Limited
Registered in England and Wales. Registered No. 04022422, with registered office at 200 Bath Road, Slough, Berkshire, SL1 3XE, United Kingdom
This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20140718/32835996/attachment.htm>
More information about the Users
mailing list