On Thu, Jun 18, 2020, 07:04 Abdul Qadir (aqadir) <[email protected]> wrote:
> ... > > I understand your concern, but these url’s are not going to be exposed to > the customer or anyone else. URL will be formed in the application and > internal to our application and anyhow once the url is hit it will change > in the encrypted form, as we can see in the guacamole as well. > You really, really shouldn't do this. It is insecure. You will be opening up your application to exploitation if you implement things in a way that users might manipulate. If you want to send users to particular connections dynamically, the way to do this is with an extension. The specifics of each connection can then be kept secure, controlled purely on the server side. If you cannot write an extension specific to your application, the extension I linked to earlier implements essentially what you need but securely (by accepting connection details that have been encrypted and signed with a secret, shared key). - Mike
