Article Number: 000017123 | Last Modified: 2018/06/12
Issue Background Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.
Issue Detail The URL in the request appears to contain a session token within the query string: • https://xxxxxxxxxx/QvAjaxZfc/QvsViewClient.aspx?public=only &name=xx.htm&target=Document.xxx.ADD&session=%7BE374294A-686A- 4C85-81C3- 8141E1906B24%7D&host=QVS%40XXXXXXXXX&view=XXX%2FXXXX%20 BXXXX%XXXX.qvw&remote=%2FQvAjaxZfc%2FQvsViewClient.aspx&xrfk ey=RZyai22pXwIPsotbXXXX
It has been observed that sensitive information like session identifier and csrf token are passing through GET request.
Qlik Response The session id identified in the GET request is not used to track or identify an authenticated user. It is instead used to keep track of selections done within an app. The sensitivity of this information is seen by Qlik as low.
Collaborate with over 60,000 Qlik technologists and members around the world to get answers to your questions, and maximize success.