- Product: Aleph
- Product Version: 20, 21, 22, 23
- Relevant for Installation Type: Dedicated-Direct, Direct, Local, Total Care
We have a security issue:
Patron A logs in to the OPAC, finds a book, clicks on full view, and copies the URL
and sends this link to Patron B. When Patron B clicks on this URL he can see the Login data from Patron A, because the ID-Session is still active.
(Once the ID- session is not active anymore, it is OK: Patron B can no longer see Patron A's Login Data.)
[As described in KB 5895, Patron B, using patron B's session ID, will see Patron A's search results.]
In an Internal Note. Contact Ex Libris Support.
- Article last edited: 02-Mar-2016