Hi,
I was wondering if anyone has come across this issue and not thought that it is a security risk ?
The issue arises when a user has connected to a blast session (with other browser windows and tabs open), and decides to close the session by either closing the tab it is in or by closing the browser window (while other browser windows are open). If the user was to then open another tab or window and put in the URL for the portal, the page does not ask for login credentials and lets them straight back to the page showing all their published apps and available desktops.
This is a major security hole. All credentials should have been disregarded when the tab or browser window was closed, much like how a bank deals with users doing online banking. So if you were to close any tab or browser you would be asked for your credentials to log in again.
We see this as being an issue if and when a user is using a public terminal (or even a laptop and a trade fair) and does not LOGOFF but just closes the browser assuming that the session is closed. Anyone could jumped onto the terminal they were on and open the blast URL and be straight in.
The only way the user credentials would be disregarded would be when every browser window has been closed.
This issue could very well be mitigated if there was a session timeout option that would disconnect the blast session yet keep any active connections to apps and desktops running. Much like what Citrix can do. I have raised the issue with VMware with regards to these timeouts (desktop sessions and blast timeouts), but they say these are not there and not sure when they will be.
At the moment we have had to disable SSO, which is a real shame because the solution was so slick with SSO enabled. It has also forced us to start looking at a Citrix solution as they have the idle timeouts available. We like the VMware product and would preferably not move away from it if we had to.
VMware support told me to put this through as a "Feature Request", but personally I think this is a bug.
We are using VMware Horizon 7.
Is anyone at VMware aware of this issue (besides the support person that took my call and raised the case) ? Has anyone else come across this and found a way to fix this ?
