Is logging really a concern if you use https and avoid any proxy that terminates (MitM)? Of course you can argue about the nginx or similar you put in front of Guacamole, but if both components are administrated by the same folks you know whom to trust or fire anyway..
Regards, Joachim Von: Mike Jumper <mjum...@apache.org> Gesendet: Dienstag, 19. Mai 2020 21:06 An: user@guacamole.apache.org Betreff: Re: Session Token in URL On Tue, May 19, 2020, 11:52 sciUser <shulb...@securitycentric.net <mailto:shulb...@securitycentric.net> > wrote: What you want is what we do, we built a provisioning system that handles Just In time (JIT) tokens and they expire after session is terminated, preventing students from book marking the url. The token is not part of any URL exposed to the user in that way. It's part of REST requests made internally by JavaScript. You're not going to bookmark or see a session token unless you go out of your way to do so and open up dev tools. The concern that a token may be inadvertently logged by a proxy is a valid one, though, and we should look into changes to the REST services that would allow the token to be provided through a header. I think the main difficulty there would be with WebSocket, which lacks an API for setting headers. - Mike
