Hello, In the scope of a security audit, a possibility was found to take over the Guacamole session of a user by copying the Windows profile. The cause is the GUAC_AUTH token, which is located in the local storage of the browser, which is also obtained with a copy of the Windows profile. The prerequisite for this behavior is that the user has a valid GUAC_AUTH token at the time of the copy. Is there a way to keep session handling away from the browser store?
Best regards Bernhard
