Skip to main content


Showing posts from April, 2018

Good case for avoiding sensitive information in url

Nothing extraordinary here, just an interesting case I came across today. This can be one of the examples we can give to app teams too. Someone posted a link from well known forum about some discussions on my WhatsApp group today. Upon clicking, it opened in the browser, after a while it prompted me to post something then I noticed that it wasn’t my name. :D Instead it was addressing me as ‘Ronnie’. We both were surprised and amused. Then I searched all my emails and WhatsApp chats to find that once, long time back Ronnie had posted a link from the same forum to me, which was very long and contained probably session information, token etc. Now this would have happened in background: ·         The long link (URL), from Ronnie, contained session information/ token in the URL ·         The session token has been persistent and active for a pretty long duration (almost 6 months) ·         I clicked a new unrelated link today from another group and Ronnie’s session token