How's this for security

retired member 1 · Dec 4, 2006

I pressed a link to a sedo auction, and not only did it take me to the auction, it also logged me into the sellers account where I was free to browse his domains or do whatever I liked with his account.

=Screenshot removed at the request of Sedo=

Now that's what I call security

Suppose posting the Session ID in the link didn't help

ratboy · Dec 4, 2006

Jesus. discount the good uns and go buying...!!

Nigel · Dec 4, 2006

Thanks for this info J2. I suppose the answer is to not let any domains go to Auction until Sedo confirm that this appalling glitch is sorted.

rob · Dec 4, 2006

I think it is if someone posts the URL themselves.

I have had something similar when someone sent me a portfolio link - which had them still logged in!

retired member 1 · Dec 4, 2006

Yes, seller posted Session ID with the link, session ID's don't last forever, don't suppose there is much Sedo can do about it, it's up to the person posting the link to make sure there is no Session ID in the link.

olebean · Dec 4, 2006

:???: unbelievable

Edwin · Dec 4, 2006

You'd think a cookie test would be in order?

olebean · Dec 4, 2006

one of the most interesting parts is nobody wants to look at colleen!!

sedo · Dec 5, 2006

Hi everyone,

Just had a talk with tech about this. As you are aware, if a session ID is posted anywhere and the user is online (meaning the session is still active), you will be logged into the other user's account.

Obviously, this is not desirable. We will be switching to Cookie sessions in the near future to do away with this problem, as we certainly want to make sure our system is as secure as possible.

Again, thank you for bringing this to our attention. Tech's working on the solution right now.

Kind regards,

Brad
[email protected]