Quote:
Originally posted by rowan
WTF? They load our members area in a frame? I haven't seen any mention of this, or that it's mandatory... can you give me more information on this?
|
Yup that's right.
Try logging into your site via the Ticketsclub interface using a valid username/password and you'll see what I mean. There's a big banner maintained across the top saying "TICKETSCLUB" and your members site appears framed underneath.
I (along with others) asked if it was ok to remove this using scripting and was told it was NOT ok to remove it it's part of the whole Ticketsclub thing.
That is unacceptable to me as I hate frames and all my sites are designed not to use them apart from when it's unavoidable. But apart from that I don't really want "TICKETSCLUB" across the top of every one of my pages using valuable screen space!
As for the other comment about password theft when they are in the URL - in principle it's no more insecure then plain text basic authentication (you can sniff both).
However, with some older browsers there is a security issue. If you have a link on your site to another site - and the browser is maintaining these username/password URL's (which it will do through your whole site by default) then it can pass the username/password + URL in it's referer field to the site you are linking out to. The other site can then "harvest" this in their log files.
However,
a) This only applies to older browsers and ...
b) Not sure if the horrible Ticketsclub frames might prevent this as the url is probably always going to be ticketsclub.com as that's all that ever appears in the URL box when you are in frames - which is kind of misrepresentative as it might lead someone to assume everything they are seeing was created by Ticketsclub... I don't think this is delibrate by Verotel - it's just the way frames work. But it's annoying none the less and another reason to hate the framing thing...
Anyone staying with Ticketsclub ought to verify this thing about passwords and how they behave with older browsers (whether they do send out the frame URL or the actual page URL complete with username/password). To fix this is simple - just redirect to a page without the username/password in the URL. Since the browser has already authenticated it won't prompt again and the details will no longer be in the URL...