Re: Subject: Inquiry Regarding Sending Token in HTTP Headers for Guacamole Integration

Thu, 20 Feb 2025 10:36:34 -0800 

On 2/20/25 10:06 AM, Nick Couchman wrote:
On Thu, Feb 20, 2025 at 12:10 PM pavithra vijayakumar <pavithraav...@gmail.com <mailto:pavithraav...@gmail.com>> wrote: 

    Hi Team,

    I hope this message finds you well. I am currently working on the
    Guacamole project and am seeking your guidance regarding the
    security of client connections within my Blazor application
    (using .NET C# and JavaScript).

    At present, I am able to successfully establish a connection to
    Guacamole through the URL format: |*https://{guacServer}/#client/
    {connectionId}?token={authToken}*|. However, I am concerned about
    the security implications of exposing the token in the URL. This
    increases the risk of unauthorized access if the URL is copied and
    shared.

    Additionally, I have encountered a *CORS issue* when attempting to
    pass the token in the request header instead of the URL.

    Could you kindly advise on how to mitigate these security concerns,
    prevent token exposure in the URL, and resolve the CORS issue?


What version of Guacamole are you working with? In general, the token= 
parameter was removed from Guacamole in the 1.4.0 release via this Jira 
issue: https://issues.apache.org/jira/browse/GUACAMOLE-956 <https:// 
issues.apache.org/jira/browse/GUACAMOLE-956>.



If you're still using or seeing the token= parameter, then you may be 
using an older version of Guacamole, and upgrading will take care of a 
lot of that.





For reference, the header used for the token since GUACAMOLE-956 is 
"Guacamole-Token".



There are still a few locations where the old "token=" can be found, 
namely WebSocket where headers just aren't a possibility, but nearly all 
usages of the "token" query parameter have been replaced with 
corresponding usage of "Guacamole-Token".



As for CORS, can you describe the issue you're encountering? What 
error(s) is your browser giving due to CORS? What CORS headers are you 
adding to the responses?


- Mike

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org























					Reply via email to