Question

User security issue with ScanIt app on barcode handhelds

  • 25 October 2019
  • 6 replies
  • 872 views
NickPorter
Rank
Userlevel 6
Badge +18

We have run into a security issue when testing barcode scanning with our Zebra MC93 Android-based Scan Guns.  These need to use the Scan It mobile app for Apps10.  Wondering if anyone else has seen or resolved the same issue?

 

We have configured the touch apps server to use AD Authentication as required for using the Android apps. The issue we have is multiple users use the scanner devices in the warehouses. This creates several problems:

  1. Each user when using one of the scanners for the first time needs to create an account in the Account Manager app. This requires the System ID and the full path to the touch apps server to be entered.
  2. Once these profiles are setup (after being directed to our One Login page and entering their AD account and password) the username and password seem to be stored in perpetuity – there is no option on the handheld ScanIt app for users to logout, and no requirement to ever login again.  This means anyone can transact under any profile that has been saved on the device.

6 replies

Isuru Wijeratna
Rank
Userlevel 6
Badge +21

possibility to login again using already entered line is depend on status of the session life time of the entry. When the session is expired, No body can use the given entry in Account Manager until it has been refreshed by using correct credentials again. 

Isuru Wijeratna
A
Rank
Userlevel 4
Badge +8

Adding further to Isuru’s comment, If the user has no requirement to ever login again, account can be deleted from Account Manager APP, by long pressing on the required account

NickPorter
Rank
Userlevel 6
Badge +18

@Isuru Wijeratna this is helpful.  Where does this session lifetime get set for these Azure authenticated user sessions?

Would this also mean that if we set the session lifetime to something very small (e.g. 5 mins) then a single user would also need to keep logging in every 5 mins even if they were not using a shared device?

Nick

 

Isuru Wijeratna
Rank
Userlevel 6
Badge +21

Login session lifetime is configurable. If it is expired, end user has to refresh the credentials. There are few JVM parameters such as 

  1. ifs.oidc.authcode.lifetime
  2. ifs.oidc.accesstoken.lifetime
  3. ifs.oidc.refreshtoken.lifetime

Once you have configured it according to your requirement, Session timeout is depends on your new configuration.

once the session is expired you will get this message ( Refer Attached Error Message )

 

According to logout feature is not available as a function, i will suggest another work around but it may some additional work. :frowning2:

  1. System ID and Service URL could be saved as a Text file :book:
  2. End user can copy and past those to relevant field instead of typing. 
  3. Once, they end their work, they can delete the account in account Manager.

other-than that, if you can log a case for this, i can initiate the discussion for having this feature soon or implement in future release.:thinking: ( But still you have few workarounds :wink: )

1 Attachment
Isuru Wijeratna
D
Rank
Userlevel 3
Badge +8

Login session lifetime is configurable. If it is expired, end user has to refresh the credentials. There are few JVM parameters such as 

  1. ifs.oidc.authcode.lifetime
  2. ifs.oidc.accesstoken.lifetime
  3. ifs.oidc.refreshtoken.lifetime

Once you have configured it according to your requirement, Session timeout is depends on your new configuration.

once the session is expired you will get this message ( Refer Attached Error Message )

 

According to logout feature is not available as a function, i will suggest another work around but it may some additional work. :frowning2:

  1. System ID and Service URL could be saved as a Text file :book:
  2. End user can copy and past those to relevant field instead of typing. 
  3. Once, they end their work, they can delete the account in account Manager.

other-than that, if you can log a case for this, i can initiate the discussion for having this feature soon or implement in future release.:thinking: ( But still you have few workarounds :wink: )

Where are there this parameters in IFS 10?

  1. ifs.oidc.authcode.lifetime
  2. ifs.oidc.accesstoken.lifetime
  3. ifs.oidc.refreshtoken.lifetime
william.klotz
Rank
Userlevel 7
Badge +21

Hi @DominikaM ,

 

You would setup those parameters in the IFS Middleware Server Admin screens.

Go to your IFS Technical Documentation at the below URL just replace <YourServer> with your actual documentation server.

 

https://<YourServer>/ifsdoc/f1doc/foundation1/040_administration/210_security/015_authentication/040_configure_DBIDP/

 

Regards,

William Klotz

Reply


Terms & ConditionsCookie settings