HTML/CSS DHTML strings (Out of Curiosity)

Click For Summary
The discussion revolves around the security implications of accessing email messages via DHTML strings. A user notes that copying a specific string associated with an email allows access to that message in a new tab, raising concerns about whether someone with that string could access the email from a different computer. It is clarified that the string would not work without being logged in on a browser that retains login information, indicating that session management is crucial for security. The conversation highlights that modern applications typically use web storage to maintain session state, while older systems may rely on cookies or URL parameters. Ultimately, the security of the email provider is questioned if access can be gained through just the string without proper authentication.
WWGD
Science Advisor
Homework Helper
Messages
7,756
Reaction score
12,977
Hi All,
Every time I login to my email server and read my email, accessing a specific message, say M generates a string S, I think in dhtml. Now, I pasted the string associated with M into another tab and it gained access to the same email. I am curious as to whether someone who knew the string S in another computer could gain access to either the message M or just to my login. Or does my access assume having logged in and grants access?
EDIT: I mean, say there is a message from mom in my daily email, and there is the associated (made up) string S:= 34%6-=mwery&& in my address bar. I can copy that string into a second tab and by clicking on it I gain access to the same message. If someone had access to this same string S in another computer: Would they be able to access that email? I wonder if the string is generated after login in, so that, if/when copied to another computer, the mail server would authorize access to it?
 
Last edited:
Technology news on Phys.org
If it did that would be a glaring hole in that servers email security. However i can see something that happening in more amateurish web sites without session control.
 
  • Like
Likes WWGD
jedishrfu said:
If it did that would be a glaring hole in that servers email security. However i can see something that happening in more amateurish web sites without session control.
Thanks, I agree, but the change of tabs still allows me to access the message.
 
Yes but sessions are tied to browsers not tabs in browsers.
 
  • Like
Likes WWGD
Manually log out.
Test that the logout worked.
Try the string.
 
  • Like
Likes jedishrfu and WWGD
hmmm27 said:
Manually log out.
Test that the logout worked.
Try the string.
Good idea. Following up, this worked, i.e., I logged out, pasted the string on the menu bar and I was sent to the sign up/login page.
 
  • Like
Likes jedishrfu
Glad it worked. Cheers.
 
  • Like
Likes jedishrfu and WWGD
hmmm27 said:
Glad it worked. Cheers.

Or doesn’t as the case may be...
 
  • Like
Likes WWGD
jedishrfu said:
Or doesn’t as the case may be...

The browser usually asks if you want to keep persistent login information between sessions, and logs in when you fire it up.

Didn't work for you ?
 
  • #10
jedishrfu said:
Or doesn’t as the case may be...
One thing I did not try was pasting the string to another device. I don't have a working second computer, and this is too cumbersome to try on my phone. Still, security was working well in that I was not allowed directly into my email, but instead I was referred to a login page asking me for user name, password.
 
  • #11
hmmm27 said:
The browser usually asks if you want to keep persistent login information between sessions, and logs in when you fire it up.

Didn't work for you ?
I don't remember that. I don't remember changing the settings. I will check my Firefox. EDIT: Only semi-related setting is that it remembers my history.
 
  • #12
The browser carries login info - if anything. Some sites you leave the page and have to log in again ; some it will half login and you have to enter the password, and some will try to get you to keep persistent your login info in a little file on disk.

Long story short, the string won't work without being in a logged in condition in a browser that has your login info handy.
 
  • #13
hmmm27 said:
The browser carries login info - if anything. Some sites you leave the page and have to log in again ; some it will half login and you have to enter the password, and some will try to get you to keep persistent your login info in a little file on disk.

Long story short, the string won't work without being in a logged in condition in a browser that has your login info handy.
I'll check the mail settings.
 
  • #15
WWGD said:
One thing I did not try was pasting the string to another device.

A different browser should do the same thing as a different device. Try logging in in one browser then do your experiment with a different brand browser. If you get the message in the other browser I would suggest you immediately stop using that email provider.

BoB

Edit: unless the authentication token is part of the URL.
 
  • Like
Likes WWGD
  • #16
Most modern web applications use web storage [1], [2] either directly or indirectly via some library to maintain local state on your browser. Since this state is shared between tabs, an application can be made to work like you describe where the URL (the "address" you type or copy in) is used as a view into the same data. Note, for security reasons the storage data is associated with the web-site, so other applications in your browser from other sites will not be able to access this data. Note also, that state can be anything from a simple session ID up to the "full state" needed for applications that offer offline mode.

Later: I first now paid attention to you using the term DHTML, which refers to an older technology that is not the same as modern Ajax [3]. If you really are referring to a (very) old web-mail client that is implemented using DHTML (and not modern HTML5) then the web storage technology I described above is likely not in use in that application. Back then you would store a session ID cookie on the browser (or put it into the URL as someone already noted) and then let server manage all state.

[1] https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API
[2] https://en.wikipedia.org/wiki/Web_storage
[3] https://en.wikipedia.org/wiki/Ajax_(programming)
 
  • Like
Likes rbelli1, WWGD and jedishrfu

Similar threads

HTML/CSS [CSS] Why do my containers shrink at screen widths <347px?
  • · Replies 5 ·
Replies
5
Views
2K
Python Python bug, or am I misunderstanding something?
  • · Replies 2 ·
Replies
2
Views
2K
Python Python Strings: Revising & Altering for AI Programming
  • · Replies 15 ·
Replies
15
Views
3K
Trouble Connecting to Default Instance in SQL Server 2017 (Win10)
  • · Replies 11 ·
Replies
11
Views
2K
Requesting suggestions for languages, libraries, and architectures for parallel (and sometimes non parallel) numerical and scientific computations
  • · Replies 8 ·
Replies
8
Views
4K
Implementing strcpy without <string.h>
  • · Replies 21 ·
Replies
21
Views
4K
Java NetBeans:Sending multiple Messages: Erroneous sym type: Soc
  • · Replies 6 ·
Replies
6
Views
4K
Is Alan Turing given too much credit when it comes to computers?
  • · Replies 29 ·
Replies
29
Views
5K
Why Does My C Program Segmentation Fault Without a Filename?
  • · Replies 5 ·
Replies
5
Views
3K
Quantum Workforce Elements, Toolbox for QIS Programs at Universities
  • · Replies 1 ·
Replies
1
Views
3K