Closed MyfanwyNixon closed 12 years ago
We received a support email indicating that the user had been on a questionnaire page when he submitted feedback - url /q/jntv64z8*****
I followed the link to see which campaign he was talking about, and as a result became logged in as him. I remained logged in as I browsed the site.
This strikes me as a potential security breach, although, presumbly a small one if it's only the team who'd ever see it?
This is intentional behaviour - as ever, there's a tradeoff between security and convenience, and we've decided on the side of convenience in this case.
We received a support email indicating that the user had been on a questionnaire page when he submitted feedback - url /q/jntv64z8*****
I followed the link to see which campaign he was talking about, and as a result became logged in as him. I remained logged in as I browsed the site.
This strikes me as a potential security breach, although, presumbly a small one if it's only the team who'd ever see it?