ClaimedIdentifier on Querystring?

28 views
Skip to first unread message

Joao Carlos Leme

unread,
May 16, 2012, 12:00:42 PM5/16/12
to dotnet...@googlegroups.com
Hi there! Is it safe to expose the ClaimedIdentifier on a querystring or is this an information that should be kept safely encrypted on a cookie for example? Can something be done by a malicious user with the ClaimedIdentifier from the provider response?
Thanks,
João Carlos Leme
Equipe SeguroFacil.Net
Tel:  (11) 3522-5550 / 3159-3434
Fax:  (11) 3259-0430
Web:  www.segurofacil.net


Esta mensagem, incluindo seus anexos, é de uso exclusivo do destinatário e pode conter informações confidenciais e/ou privilegiadas cuja divulgação é restrita. Caso você não seja o destinatário, qualquer uso, cópia, alteração, divulgação, veiculação, reprodução ou distribuição desta mensagem e seus anexos, no todo ou parte, é estritamente proibida. Neste caso, por favor notifique o remetente imediatamente respondendo este email e exclua esta mensagem.

This message, including its attachments, is intended for the exclusive use of its addressee and may contain confidential, proprietary and/or privileged information of restricted disclosure. If you are not the intended recipient, any use, copy, modification, disclosure, dissemination, reproduction or distribution of either the whole or part of this message, or the attached documents, is strictly prohibited. In this case, please notify the sender immediately by reply e-mail and delete this message.

Andrew Arnott

unread,
May 16, 2012, 5:55:28 PM5/16/12
to dotnet...@googlegroups.com
The Claimed Identifier is only as "confidential" as a username alone would be.  It cannot be used maliciously except to identify the user who is attempting to log in (possibly correlating their activities with other web sites).
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre


--
You received this message because you are subscribed to the Google Groups "DotNetOpenAuth" group.
To post to this group, send email to dotnet...@googlegroups.com.
To unsubscribe from this group, send email to dotnetopenid...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/dotnetopenid?hl=en.

Joao Leme

unread,
May 16, 2012, 9:13:47 PM5/16/12
to dotnet...@googlegroups.com
Thanks Andrew! That's what I thought but wanted to be on the safe side and double check.


On Wednesday, May 16, 2012 6:55:28 PM UTC-3, Andrew Arnott wrote:
The Claimed Identifier is only as "confidential" as a username alone would be.  It cannot be used maliciously except to identify the user who is attempting to log in (possibly correlating their activities with other web sites).
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre


On Wed, May 16, 2012 at 9:00 AM, Joao Carlos Leme wrote:
Hi there! Is it safe to expose the ClaimedIdentifier on a querystring or is this an information that should be kept safely encrypted on a cookie for example? Can something be done by a malicious user with the ClaimedIdentifier from the provider response?
Thanks,
João Carlos Leme
Equipe SeguroFacil.Net
Tel:  (11) 3522-5550 / 3159-3434
Fax:  (11) 3259-0430
Web:  www.segurofacil.net


Esta mensagem, incluindo seus anexos, é de uso exclusivo do destinatário e pode conter informações confidenciais e/ou privilegiadas cuja divulgação é restrita. Caso você não seja o destinatário, qualquer uso, cópia, alteração, divulgação, veiculação, reprodução ou distribuição desta mensagem e seus anexos, no todo ou parte, é estritamente proibida. Neste caso, por favor notifique o remetente imediatamente respondendo este email e exclua esta mensagem.

This message, including its attachments, is intended for the exclusive use of its addressee and may contain confidential, proprietary and/or privileged information of restricted disclosure. If you are not the intended recipient, any use, copy, modification, disclosure, dissemination, reproduction or distribution of either the whole or part of this message, or the attached documents, is strictly prohibited. In this case, please notify the sender immediately by reply e-mail and delete this message.

--
You received this message because you are subscribed to the Google Groups "DotNetOpenAuth" group.
To post to this group, send email to dotnet...@googlegroups.com.
To unsubscribe from this group, send email to dotnetopenid+unsubscribe@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages