On Tue, May 19, 2020, 11:52 sciUser <shulb...@securitycentric.net> wrote:
> What you want is what we do, we built a provisioning system that handles > Just > In time (JIT) tokens and they expire after session is terminated, > preventing > students from book marking the url. > The token is not part of any URL exposed to the user in that way. It's part of REST requests made internally by JavaScript. You're not going to bookmark or see a session token unless you go out of your way to do so and open up dev tools. The concern that a token may be inadvertently logged by a proxy is a valid one, though, and we should look into changes to the REST services that would allow the token to be provided through a header. I think the main difficulty there would be with WebSocket, which lacks an API for setting headers. - Mike
