kbertodatti
commented
4 weeks ago Need to explore a timeout variable. @drbgfc @mattStorer @swmuir to discuss in SDS Subgroup Meeting on June 17 at 3pm.
Open mattStorer opened 1 month ago
kbertodatti
commented
4 weeks ago Need to explore a timeout variable. @drbgfc @mattStorer @swmuir to discuss in SDS Subgroup Meeting on June 17 at 3pm.
While debugging into issue #405 in Microsoft Edge, I observed the following behavior:
It appears that a third-party endpoint's credentials are being cached in the browser, but appears to not tie those credentials to the authenticated user (rosefhir, andrew), nor to the active session / tab, nor are those credentials cleared when the tab or browser is closed.
That is, performing one operation (steps 1-5) in one browser tab, and then performing the remaining operations (steps 6-9) in another tab, the credentials are shared across tabs in the same way.
Further, cached credentials are verified persisted and shared between closing the browser and reopening it, and loading MyCarePlanner for an entirely separate user.
Someone could use a browser to authenticate and load their third-party data, then close their browser, then someone else could come along and open the browser and load MyCarePlanner for themselves, and if they try to load the same third-party endpoint data for themselves, it will instead immediately load the previous user's data without requiring authentication.
This means that any user logging into the MyCarePlanner app using the same browser will obtain previously-obtained credentials to third-party providers, potentially exposing healthcare data to unauthorized users.