Idea Lab

 
This is a public Idea Center  publicRSS

Idea

    1 liked this

    Change PTA method from GET to POST
    Idea posted October 15, 2012 by Matthew Callison , tagged Customer Portal
    32 Views
    Title:
    Change PTA method from GET to POST
    User Story / Description:

    The current Pass Through Authentication method for RightNow CX uses GET requests to load customer data and authenticate them.  This leads to the disclosure of user information on the URL line, including the customer email address and password hash. This information is saved in the web browser history file, in the web browser cache and by the web server's logs. In addition, the URL with sensitive information may be saved by external proxies in use.  A proper login is still required to actually attempt to load the referenced URL. However, an attacker could use the disclosed customer email address to launch a brute force attack.

    We are currently on Feb 11 and are in the process of upgrading to Aug 12.  I read through the PTA documentaion for Aug 12 and didn't see any major changes from our current version.  I also checked with our CSM, but she was not aware of anything on the longterm roadmap that would address this issue.

    I propose that PTA be modified to use the POST method instead, to prevent disclosing sensitive information in the URLs used.

    All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.