Question

An Unauthorized User Can Fetch The Specialty of Other Country Users

0

We have an application called ROEM where it is used for different countries and different users, with respect to their countries. when user login to application with their credentials the data is displayed with respect to the country data assigned to his account, but while testing is performed by VAPT team they are creating an cookies of particular user account and passing that generated GUID of this country cookies to other country account cookie where in result its gives the previous cookie data in the other country account data, actually which should not happen so need your help to resolve this.

asked 2023-12-13

KOMMIREDDY NARAYANA REDDY

2 answers

Erwin 't Hoen · Answer 1 · 2023-12-13

Have a look at entity access in the documentation: https://docs.mendix.com/refguide/access-rules/#xpath-constraint With this you do not need to work with the cookies solution but make sure the data is only served for the country assigned to the user.

Quang Nhat Tran · Answer 2 · 2023-12-14

normally on mendix system.user will have multiple session id or(XASSESSIONID) . if they pass the cookie to the user however they not able to commit the cookies, therefore, you may need to verify is that session is belong to this user or not.