Find Answers
Qlik Community
Collaborate with over 60,000 Qlik technologists and members around the world to get answers to your questions, and maximize success.
Join Us
Knowledge
Security Question: Sensitive information in URL
Article Number: 000017123 | Last Modified: 2018/06/12Description
Issue Background
Sensitive information within URLs may be logged in various locations, including
the user's browser, the web server, and any forward or reverse proxy servers
between the two endpoints. URLs may also be displayed on-screen,
bookmarked or emailed around by users. They may be disclosed to third parties
via the Referer header when any off-site links are followed. Placing session
tokens into the URL increases the risk that they will be captured by an attacker.
Issue Detail
The URL in the request appears to contain a session token within the query
string:
• https://xxxxxxxxxx/QvAjaxZfc/QvsViewClient.aspx?public=only
&name=xx.htm&target=Document.xxx.ADD&session=%7BE374294A-686A-
4C85-81C3-
8141E1906B24%7D&host=QVS%40XXXXXXXXX&view=XXX%2FXXXX%20
BXXXX%XXXX.qvw&remote=%2FQvAjaxZfc%2FQvsViewClient.aspx&xrfk
ey=RZyai22pXwIPsotbXXXX
Sensitive information within URLs may be logged in various locations, including
the user's browser, the web server, and any forward or reverse proxy servers
between the two endpoints. URLs may also be displayed on-screen,
bookmarked or emailed around by users. They may be disclosed to third parties
via the Referer header when any off-site links are followed. Placing session
tokens into the URL increases the risk that they will be captured by an attacker.
Issue Detail
The URL in the request appears to contain a session token within the query
string:
• https://xxxxxxxxxx/QvAjaxZfc/QvsViewClient.aspx?public=only
&name=xx.htm&target=Document.xxx.ADD&session=%7BE374294A-686A-
4C85-81C3-
8141E1906B24%7D&host=QVS%40XXXXXXXXX&view=XXX%2FXXXX%20
BXXXX%XXXX.qvw&remote=%2FQvAjaxZfc%2FQvsViewClient.aspx&xrfk
ey=RZyai22pXwIPsotbXXXX
Resolution
It has been observed that sensitive information like session identifier and csrf token are passing through GET request.
Qlik Response
The session id identified in the GET request is not used to track or identify an authenticated user. It is instead used to keep track of selections done within an app. The sensitivity of this information is seen by Qlik as low.
Get Answers
Find Answers
Get Support
Have a Question?
Search Qlik's Support Knowledge database or request assisted support for highly complex issues.
Submit a case
Talk with a Representative
Critical Issues
Experiencing a serious issue, please contact us by phone. For Data Integration related issues please refer to your onboarding documentation for current phone number.
Call Us