You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When a user completes the captcha they are meant to be redirected to the last known URI they requested, however, the current implemented presumes that a single IP with have a single user. So if another request comes from another users on the same IP the original requester will get redirected to another location.
Security Concerns
So this might spark ideas of session hijacking if the application holds sensitive information within the query string. However, we only store ngx.var.uri which is normalised to only be the base path with everyelse stripped.
Fix
So the optimal solution is generating session ID which is used within a cookie that is sent on captcha completion this is how we would know which URL is which session without relying heavily on just the IP address.
The text was updated successfully, but these errors were encountered:
When a user completes the captcha they are meant to be redirected to the last known URI they requested, however, the current implemented presumes that a single IP with have a single user. So if another request comes from another users on the same IP the original requester will get redirected to another location.
Security Concerns
So this might spark ideas of session hijacking if the application holds sensitive information within the query string. However, we only store
ngx.var.uri
which is normalised to only be the base path with everyelse stripped.Fix
So the optimal solution is generating session ID which is used within a cookie that is sent on captcha completion this is how we would know which URL is which session without relying heavily on just the IP address.
The text was updated successfully, but these errors were encountered: