https://community.esri.com/t5/arcgis-online-questions/token-etc-is-sent-to-any-webserver-security-issue/m-p/280012#M13912 <HTML><HEAD></HEAD><BODY><P>Hi Hans,</P><P></P><P>Thank you for bringing up this issue. This has been logged as a bug which you can find on the support services site: <A href="http://support.esri.com/bugs/nimbus/QlVHLTAwMDA5NjYzOQ==" title="http://support.esri.com/bugs/nimbus/QlVHLTAwMDA5NjYzOQ==">BUG-000096639: Esri authorization cookies are included in requests ..&nbsp; </A></P><P></P><P>You can contact your support organization to be attached to the bug for tracking purposes. If you have security concerns in the future, I want to encourage you to log them on our trust.arcgis.com site:&nbsp; <A href="http://doc.arcgis.com/EN/TRUST/SECURITY-CONCERN/" title="http://doc.arcgis.com/EN/TRUST/SECURITY-CONCERN/">Report a Security Concern | ArcGIS</A>&nbsp; </P><P></P><P>-Kelly</P></BODY></HTML> Thu, 09 Jun 2016 18:39:12 GMT KellyGerrow 2016-06-09T18:39:12Z https://community.esri.com/t5/arcgis-online-questions/token-etc-is-sent-to-any-webserver-security-issue/m-p/280010#M13910 <HTML><HEAD></HEAD><BODY><P>I just registered to ArcGIS Online to build my own map by adding Web Services. </P><P></P><P>Now when I do that, my ArcGIS-Online Cookie which contains my username, my token, my accountId, my role, my region, my culture etc. is send via REST to that URL I connect to.</P><P></P><P>I think this makes all the accounts pretty insecure. Or not? What do you think?</P><P></P><P>John</P></BODY></HTML> Fri, 13 May 2016 13:42:04 GMT https://community.esri.com/t5/arcgis-online-questions/token-etc-is-sent-to-any-webserver-security-issue/m-p/280010#M13910 HansDampf 2016-05-13T13:42:04Z https://community.esri.com/t5/arcgis-online-questions/token-etc-is-sent-to-any-webserver-security-issue/m-p/280011#M13911 <HTML><HEAD></HEAD><BODY><P>Unfortunately there are no comments to this topic. Maybe I explain a bit more.</P><P></P><P>In ArcGIS Online it's possible to connect to web service like ArcGIS Services or OGC WMS. These Services can be hosted anywhere in the world, on servers there. I discovered that ArcGIS Online sends an only for ArcGIS-Online relevant cookie with user information to the host Server of the&nbsp; Service (WMS etc.). Why does any server in the world needs my ArcGIS Online user credentials? This can`t be right</P><P></P><P>The thing is that some map service servers block cookies, because the absolutely don't need them. But ArcGIS Online can't connect to a map service if the cookie is blocked, a cookie only containing ArcGIS Online User Information, on a Server somewhere in the world ...</P><P></P><P>I hope someone at ESRI is concerned about this and their users' information.</P></BODY></HTML> Wed, 08 Jun 2016 14:49:40 GMT https://community.esri.com/t5/arcgis-online-questions/token-etc-is-sent-to-any-webserver-security-issue/m-p/280011#M13911 HansDampf 2016-06-08T14:49:40Z https://community.esri.com/t5/arcgis-online-questions/token-etc-is-sent-to-any-webserver-security-issue/m-p/280012#M13912 <HTML><HEAD></HEAD><BODY><P>Hi Hans,</P><P></P><P>Thank you for bringing up this issue. This has been logged as a bug which you can find on the support services site: <A href="http://support.esri.com/bugs/nimbus/QlVHLTAwMDA5NjYzOQ==" title="http://support.esri.com/bugs/nimbus/QlVHLTAwMDA5NjYzOQ==">BUG-000096639: Esri authorization cookies are included in requests ..&nbsp; </A></P><P></P><P>You can contact your support organization to be attached to the bug for tracking purposes. If you have security concerns in the future, I want to encourage you to log them on our trust.arcgis.com site:&nbsp; <A href="http://doc.arcgis.com/EN/TRUST/SECURITY-CONCERN/" title="http://doc.arcgis.com/EN/TRUST/SECURITY-CONCERN/">Report a Security Concern | ArcGIS</A>&nbsp; </P><P></P><P>-Kelly</P></BODY></HTML> Thu, 09 Jun 2016 18:39:12 GMT https://community.esri.com/t5/arcgis-online-questions/token-etc-is-sent-to-any-webserver-security-issue/m-p/280012#M13912 KellyGerrow 2016-06-09T18:39:12Z