X Services security

• Article Type: General
• Product: Aleph
• Product Version: 17.01

Description:
When investigating X Services documentation for the first time we were pertubed to find that, provided a patron's id number is known, all patron information is freely available over the web without any authentication check.
Should this be so?

Resolution:
To address the security issue, we suggest to change the PW of the GUI user WWW-X which is used by all X-server transactions, and to add the following to the URLs:

&user_name=WWW-X&user_password=NEW-PW

Another method is to start with:
/X?op=login&library=XXX50&user_name=WWW-X&user_password=NEW-PW
and then to each request, add the session ID - for example:
&session=DYNYB4ACFLXXNARS49QFXTGQN89MU4QM3KHAQ79YE49PX8MH27