DHTML strings (Out of Curiosity)

[WWGD]

Hi All,
Every time I login to my email server and read my email, accessing a specific message, say M generates a string S, I think in dhtml. Now, I pasted the string associated with M into another tab and it gained access to the same email. I am curious as to whether someone who knew the string S in another computer could gain access to either the message M or just to my login. Or does my access assume having logged in and grants access?
EDIT: I mean, say there is a message from mom in my daily email, and there is the associated (made up) string S:= 34%6-=mwery&& in my address bar. I can copy that string into a second tab and by clicking on it I gain access to the same message. If someone had access to this same string S in another computer: Would they be able to access that email? I wonder if the string is generated after login in, so that, if/when copied to another computer, the mail server would authorize access to it?

 

[jedishrfu]

If it did that would be a glaring hole in that servers email security. However i can see something that happening in more amateurish web sites without session control.

 

[WWGD]

If it did that would be a glaring hole in that servers email security. However i can see something that happening in more amateurish web sites without session control.

Thanks, I agree, but the change of tabs still allows me to access the message.

 

[jedishrfu]

Yes but sessions are tied to browsers not tabs in browsers.

 

[hmmm27]

Manually log out.
Test that the logout worked.
Try the string.

 

[WWGD]

Manually log out.
Test that the logout worked.
Try the string.

Good idea. Following up, this worked, i.e., I logged out, pasted the string on the menu bar and I was sent to the sign up/login page.

 

[hmmm27]

Glad it worked. Cheers.

 

[jedishrfu]

Glad it worked. Cheers.

Or doesn’t as the case may be...

 

[hmmm27]

Or doesn’t as the case may be...

The browser usually asks if you want to keep persistent login information between sessions, and logs in when you fire it up.

Didn't work for you ?

 

[WWGD]

Or doesn’t as the case may be...

One thing I did not try was pasting the string to another device. I don't have a working second computer, and this is too cumbersome to try on my phone. Still, security was working well in that I was not allowed directly into my email, but instead I was referred to a login page asking me for user name, password.

 

[WWGD]

The browser usually asks if you want to keep persistent login information between sessions, and logs in when you fire it up.

Didn't work for you ?

I don't remember that. I don't remember changing the settings. I will check my Firefox. EDIT: Only semi-related setting is that it remembers my history.

 

[hmmm27]

The browser carries login info - if anything. Some sites you leave the page and have to log in again ; some it will half login and you have to enter the password, and some will try to get you to keep persistent your login info in a little file on disk.

Long story short, the string won't work without being in a logged in condition in a browser that has your login info handy.

 

[WWGD]

The browser carries login info - if anything. Some sites you leave the page and have to log in again ; some it will half login and you have to enter the password, and some will try to get you to keep persistent your login info in a little file on disk.

Long story short, the string won't work without being in a logged in condition in a browser that has your login info handy.

I'll check the mail settings.

 

[hmmm27]

May help - Firefox Password Manager doc

 

[rbelli1]

One thing I did not try was pasting the string to another device.

A different browser should do the same thing as a different device. Try logging in in one browser then do your experiment with a different brand browser. If you get the message in the other browser I would suggest you immediately stop using that email provider.

BoB

Edit: unless the authentication token is part of the URL.

 

[Filip Larsen]

Most modern web applications use web storage [1], [2] either directly or indirectly via some library to maintain local state on your browser. Since this state is shared between tabs, an application can be made to work like you describe where the URL (the "address" you type or copy in) is used as a view into the same data. Note, for security reasons the storage data is associated with the web-site, so other applications in your browser from other sites will not be able to access this data. Note also, that state can be anything from a simple session ID up to the "full state" needed for applications that offer offline mode.

Later: I first now paid attention to you using the term DHTML, which refers to an older technology that is not the same as modern Ajax [3]. If you really are referring to a (very) old web-mail client that is implemented using DHTML (and not modern HTML5) then the web storage technology I described above is likely not in use in that application. Back then you would store a session ID cookie on the browser (or put it into the URL as someone already noted) and then let server manage all state.

[1] https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API
[2] https://en.wikipedia.org/wiki/Web_storage
[3] https://en.wikipedia.org/wiki/Ajax_(programming)