[
https://issues.apache.org/jira/browse/WOOKIE-384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13471462#comment-13471462
]
Hoang Minh Tien commented on WOOKIE-384:
----------------------------------------
Thanks Matthias but I'm not sure if it is a bug.
If you set persist option on, the token is dedicated to a single widget
instance not shared to all widget instances. If you put this widget instance on
any page (using embedded code function), it can query the token and display
information associated to this token.
So if the information is private, and the page containing widget instance if
public, it is not suitable to set persist on.
> persist parameter of oAuth feature not user-isolated
> ----------------------------------------------------
>
> Key: WOOKIE-384
> URL: https://issues.apache.org/jira/browse/WOOKIE-384
> Project: Wookie
> Issue Type: Bug
> Components: Feature Management
> Affects Versions: 0.14.0
> Environment: Windows 7, Chrome
> Reporter: Matthias Niederhausen
> Original Estimate: 3h
> Remaining Estimate: 3h
>
> When I use the "persist" parameter of the oAuth feature (which is the
> default), every other user will automatically use my token after I have
> approved access.
> This results in a severe security issue, e.g., my google contact list being
> shown to someone else.
> Using "false" for the parameter value, I have to re-authenticate every try
> (which is okay).
> The behaviour for "true" should instead be to cache the token for every
> individual user (i.e., widget instance).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
