Qlik Community

QlikView Security & Governance

Discussion Board for collaboration on QlikView Security and Governance.

Announcements
QlikView Fans! We’d love to hear from you.
Share your QlikView feedback with the product team… Click here to participate in our 5-minute survey.
Rules, plus terms and conditions, can be found here.
fabio_ribeiro
New Contributor III

Shared Session URL

Hi all.

Someone know how to hide a host information in URL when we shared a session?

http://localhost/QvAJAXZfc/opendoc.htm?invite=240C5BB758AADDC5C0060E079D759A7EC7F9F20F&anonymous=&ho...

&host=SVRLAB02 can't be displayed by security reasons.

5 Replies

Re: Shared Session URL

Unfortunately, this parameter is required whenever you need to direct opendoc.htm to a QVS that isn't residing on localhost. AFAIK that's the case for every user that clicks the link in an email message on his/her desktop/laptop.

Why is server SVRLAB02 a secret? Does nobody know where the QlikView documents are hosted? Or is this security elevated because you are dealing with external users that may know about the AP host but everything else should be hidden?

Peter

fabio_ribeiro
New Contributor III

Re: Shared Session URL

Hi Peter, how are you?

In this example I took a internal link only to illustrate the problem, the server from which I'm referring is a Government server, and it will be accessed internally and externally too.

This point of view the server name publicly on the internet is a matter of information security.

Re: Shared Session URL

Hmmm, I don't know for sure, but I don't think it's possible to change the URL that is embedded in a Shared Session invitation.

You could rewrite opendoc.htm so that it doesn't need the host=XYZ parameter anymore by hardcoding the default destination in that file. But that still doesn't change the invitation URL.

I guess Alexander Karlsson‌ can tell us more about this issue. Not sure if he's still available. Let's try.

Peter

Employee
Employee

Re: Shared Session URL

As far as I know you can’t modify the invite url but it has been a while since I last looked at it.

But if revealing the hostname is a issue I would be careful anyhow, don’t we leak that information through the document info menu anyhow?

Alexander Karlsson

Developer Relations Engineer

The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer.

Employee
Employee

Re: Shared Session URL

It only shows the short host name, not the FQDN. Thinking outside the Square, why not just make sure the host name doesn't identify the server from outside.  i.e. if the server name is ABC123 then that will mean nothing unless people are on your network.  If its an internal IP address, it won't resolve externally if someone tries to work it out. 

Community Browser