That's odd, my access logs are full of referers that contain
everything after the hash...
On May 13, 2009, at 7:14 AM, Brian Eaton wrote:
On Wed, May 13, 2009 at 4:51 AM, Paul Lindner <lind...@inuus.com>
wrote:
Moving the security token to the hash does not fix this problem.
You will
still leak that information.
Yoichiro is right, the security token does not leak in the referer if
it is placed in the fragment.
One fix for this is to pass a short-lived security token in the URL (1
minute, say) and return a long-lived security token in the body of the
page. If you implement a custom security token decoder in shindig
it's pretty easy to do this, just implement
SecurityToken.getUpdatedToken.
