Dismiss Notice
Join Physics Forums Today!
The friendliest, high quality science and math community on the planet! Everyone who loves science is here!

DHTML strings (Out of Curiosity)

  1. Feb 6, 2019 #1

    WWGD

    User Avatar
    Science Advisor
    Gold Member

    Hi All,
    Every time I login to my email server and read my email, accessing a specific message, say M generates a string S, I think in dhtml. Now, I pasted the string associated with M into another tab and it gained access to the same email. I am curious as to whether someone who knew the string S in another computer could gain access to either the message M or just to my login. Or does my access assume having logged in and grants access?
    EDIT: I mean, say there is a message from mom in my daily email, and there is the associated (made up) string S:= 34%6-=mwery&& in my address bar. I can copy that string into a second tab and by clicking on it I gain access to the same message. If someone had access to this same string S in another computer: Would they be able to access that email? I wonder if the string is generated after login in, so that, if/when copied to another computer, the mail server would authorize access to it?
     
    Last edited: Feb 6, 2019
  2. jcsd
  3. Feb 6, 2019 #2

    jedishrfu

    Staff: Mentor

    If it did that would be a glaring hole in that servers email security. However i can see something that happening in more amateurish web sites without session control.
     
  4. Feb 6, 2019 #3

    WWGD

    User Avatar
    Science Advisor
    Gold Member

    Thanks, I agree, but the change of tabs still allows me to access the message.
     
  5. Feb 6, 2019 #4

    jedishrfu

    Staff: Mentor

    Yes but sessions are tied to browsers not tabs in browsers.
     
  6. Feb 6, 2019 #5
    Manually log out.
    Test that the logout worked.
    Try the string.
     
  7. Feb 7, 2019 #6

    WWGD

    User Avatar
    Science Advisor
    Gold Member

    Good idea. Following up, this worked, i.e., I logged out, pasted the string on the menu bar and I was sent to the sign up/login page.
     
  8. Feb 7, 2019 #7
    Glad it worked. Cheers.
     
  9. Feb 7, 2019 #8

    jedishrfu

    Staff: Mentor

    Or doesn’t as the case may be...
     
  10. Feb 7, 2019 #9
    The browser usually asks if you want to keep persistent login information between sessions, and logs in when you fire it up.

    Didn't work for you ?
     
  11. Feb 7, 2019 #10

    WWGD

    User Avatar
    Science Advisor
    Gold Member

    One thing I did not try was pasting the string to another device. I don't have a working second computer, and this is too cumbersome to try on my phone. Still, security was working well in that I was not allowed directly into my email, but instead I was referred to a login page asking me for user name, password.
     
  12. Feb 7, 2019 #11

    WWGD

    User Avatar
    Science Advisor
    Gold Member

    I don't remember that. I don't remember changing the settings. I will check my Firefox. EDIT: Only semi-related setting is that it remembers my history.
     
  13. Feb 7, 2019 #12
    The browser carries login info - if anything. Some sites you leave the page and have to log in again ; some it will half login and you have to enter the password, and some will try to get you to keep persistent your login info in a little file on disk.

    Long story short, the string won't work without being in a logged in condition in a browser that has your login info handy.
     
  14. Feb 7, 2019 #13

    WWGD

    User Avatar
    Science Advisor
    Gold Member

    I'll check the mail settings.
     
  15. Feb 8, 2019 #14
  16. Feb 8, 2019 #15

    rbelli1

    User Avatar
    Gold Member

    A different browser should do the same thing as a different device. Try logging in in one browser then do your experiment with a different brand browser. If you get the message in the other browser I would suggest you immediately stop using that email provider.

    BoB

    Edit: unless the authentication token is part of the URL.
     
  17. Feb 9, 2019 #16

    Filip Larsen

    User Avatar
    Gold Member

    Most modern web applications use web storage [1], [2] either directly or indirectly via some library to maintain local state on your browser. Since this state is shared between tabs, an application can be made to work like you describe where the URL (the "address" you type or copy in) is used as a view into the same data. Note, for security reasons the storage data is associated with the web-site, so other applications in your browser from other sites will not be able to access this data. Note also, that state can be anything from a simple session ID up to the "full state" needed for applications that offer offline mode.

    Later: I first now paid attention to you using the term DHTML, which refers to an older technology that is not the same as modern Ajax [3]. If you really are referring to a (very) old web-mail client that is implemented using DHTML (and not modern HTML5) then the web storage technology I described above is likely not in use in that application. Back then you would store a session ID cookie on the browser (or put it into the URL as someone already noted) and then let server manage all state.

    [1] https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API
    [2] https://en.wikipedia.org/wiki/Web_storage
    [3] https://en.wikipedia.org/wiki/Ajax_(programming)
     
Share this great discussion with others via Reddit, Google+, Twitter, or Facebook

Have something to add?