Token etc. is sent to any webserver - security issue?

HansDampf · ‎05-13-2016

I just registered to ArcGIS Online to build my own map by adding Web Services.

Now when I do that, my ArcGIS-Online Cookie which contains my username, my token, my accountId, my role, my region, my culture etc. is send via REST to that URL I connect to.

I think this makes all the accounts pretty insecure. Or not? What do you think?

John

HansDampf · ‎06-08-2016

Unfortunately there are no comments to this topic. Maybe I explain a bit more.

In ArcGIS Online it's possible to connect to web service like ArcGIS Services or OGC WMS. These Services can be hosted anywhere in the world, on servers there. I discovered that ArcGIS Online sends an only for ArcGIS-Online relevant cookie with user information to the host Server of the Service (WMS etc.). Why does any server in the world needs my ArcGIS Online user credentials? This can`t be right

The thing is that some map service servers block cookies, because the absolutely don't need them. But ArcGIS Online can't connect to a map service if the cookie is blocked, a cookie only containing ArcGIS Online User Information, on a Server somewhere in the world ...

I hope someone at ESRI is concerned about this and their users' information.

KellyGerrow · ‎06-09-2016

Hi Hans,

Thank you for bringing up this issue. This has been logged as a bug which you can find on the support services site: BUG-000096639: Esri authorization cookies are included in requests ..

You can contact your support organization to be attached to the bug for tracking purposes. If you have security concerns in the future, I want to encourage you to log them on our trust.arcgis.com site: Report a Security Concern | ArcGIS

-Kelly