On Mon, Oct 5, 2020 at 4:14 PM Antony Awaida <[email protected]> wrote:
> Thanks Nick.Pls note that this does not relate to connection sharing - > rather it relates to a user passing his URL to another user. > > Many institutions are adding Multi-factor auth as an extra layer of > security. They feel that while using Guac, a user can simply send his URL > to another user and therefore bypass the layers of security. > I suppose this depends upon what you mean by "his URL." A user could dig in and find the token parameter of their session and share that with someone else, and that would allow the person receiving that token to basically act as the user who shared it. The token should certainly be protected, and, in most cases within the Guacamole Client application it is hidden from the user. It can be found using the developer console, but does not usually appear in the address bar. There was a JIRA suggestion/improvement put in a while back to remove the token parameter from the URL and instead use a session variable or the like to further hide that. This would mitigate some of that risk, but, still, one way or the other - whether it's a cookie, a session variable, or a URL parameter, if someone is intent on finding it and giving it to someone else, they are going to be able to do that, and there isn't a fool-proof method of prevent users from abusing the system in that manner. Otherwise, if you're just talking about the connection identifier (#/client/base64stringhere), there is nothing in that URL that is sensitive or would bypass any security measures - it's just a B64 encoding of the data source, connection type, and identifier. -Nick >
