Great question. I just checked the test to confirm before I wrote this answer.
If I am 'Person A' and you are 'Person B', then this is what should happen:
- Person A logs into the website using IWA, gets the session identifier (for example, in the URL)
- User B also logs onto the website as himself (therefore, he must be authenticated).
- Person A sends Person B a url link that contains the session identifier
- Person B clicks on this link, they go directly to the website using the session information for Person A
Please note that Person B is still recognized by the Person B website, even if they use session data from Person A. Therefore, if you have code that verifies user rights, etc., these checks are still run in the context of Person B.
This may seem like a huge problem, but it is not until programmers are careless. For example, the only effect Person B got in my test above was that they inherited the screen and grid screens that Person A created because we perform our checks on the right (i.e., they are not cached). If you store sensitive data in a session, this can be a problem, but it is a problem only if the fields showing it are not checked every time they are displayed. This is also a problem only if the session for face A has not expired.
slugster
source share