Hiding the BBB Api URL or changing the attendee password
benbit
we're using BBB together with Drupal. All our authentication and
authorization is done by drupal. We introduced a 6 digit code with
which you can join a session without having a drupal account. Now if
you join with this code, drupal checks its database for the given code
and redirects to a certain bbb session. While redirecting the user
could run a http header sniffer (or any network sniffer for that
matter), to get the direct api url for joining the session. Now if a
moderator changes the 6 digit code, the user could still open the
session via the direct api url, since he now bypasses all the
authorization within drupal.
My question is now, is there a better way of hiding the api call or is
there a way to change the attendee password via the api? Then i could
always change the attendee password when the 6 digit code has been
changed.
Thanks in advance
Regards Benjamin
Fred Dixon
We've not worked with the Drupal integration, so we're not familiar
with its logic. There isn't any way to hide the URL that comes down
to the browser ... whatever you do, at the end of the day, the browser
must be able to open the URL and that URL will be visible to an
external tool.
The best practice is to change the meetingID for each session. That
way, even if someone runs an HTTP Sniffer, their URL is only valid for
the current session. For more discussion on this, see
http://groups.google.com/group/bigbluebutton-dev/browse_thread/thread/9be5aae1648bcab
Regards,... Fred
> --
> You received this message because you are subscribed to the Google Groups "BigBlueButton-dev" group.
> To post to this group, send email to bigblueb...@googlegroups.com.
> To unsubscribe from this group, send email to bigbluebutton-...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/bigbluebutton-dev?hl=en.
>
>