How to avoid sensitive information like session data key, relay state etc as part of query params in WSO2 IS

0
votes

I am using WSO2 IS 5.3.0 version. When I open login page I am seeing more information in Query parameter of the URL. How to avoid this information being transmitted through query params.

Eg: https://sample.com/authenticationendpoint/login.do?RelayState=https://sample.com/callback?client_name=Saml2Client&commonAuthCallerPath=/samlsso&forceAuth=false&passiveAuth=false&tenantDomain=carbon.super&sessionDataKey=11122234-o4df-5f6c-333a-23jghruy54jf&relyingParty=temp&type=samlsso&sp=temp&isSaaSApp=true&authenticators=BasicAuthenticator:LOCAL

1
wso2wso2iswso2carbon

1 Answers

2
votes

None of the above parameters are sensitive information and used to convey state information across browser redirection.

One might suspect "sessionDataKey" would carry sensitive information. However lifetime of that is ended once the authentication flow completed with Success or Failure.

Sensitive information in the URL parameters, are the parameters which can be retrieved from logs of intermediary, and can be used to forge new valid request. None of those parameters can be used for that purpose.