[
https://issues.apache.org/jira/browse/WOOKIE-384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13471467#comment-13471467
]
Matthias Niederhausen commented on WOOKIE-384:
----------------------------------------------
Hm, what I did do was to open the Wookie demo page in different browsers. Even
the two demo pages shown when I select a widget there are different instances,
from my understanding. After I did then grant access to one of the widgets, the
other did no longer need permission and received the token of the first widget.
> persist parameter of oAuth feature not user-isolated
> ----------------------------------------------------
>
> Key: WOOKIE-384
> URL: https://issues.apache.org/jira/browse/WOOKIE-384
> Project: Wookie
> Issue Type: Bug
> Components: Feature Management
> Affects Versions: 0.14.0
> Environment: Windows 7, Chrome
> Reporter: Matthias Niederhausen
> Original Estimate: 3h
> Remaining Estimate: 3h
>
> When I use the "persist" parameter of the oAuth feature (which is the
> default), every other user will automatically use my token after I have
> approved access.
> This results in a severe security issue, e.g., my google contact list being
> shown to someone else.
> Using "false" for the parameter value, I have to re-authenticate every try
> (which is okay).
> The behaviour for "true" should instead be to cache the token for every
> individual user (i.e., widget instance).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
