GrapeCity.ActiveReports.Web.WebViewer is not clearing the report token

GrapeCity.ActiveReports.Web.WebViewer is not clearing the report token

Posted by: hariharan.ramachandran on 15 November 2018, 12:19 am EST

• 

  hariharan.ramachandran

  • Post Options:
  • Link
    Copy
  • Jump To Answer

  Posted 15 November 2018, 12:19 am EST

  We are using ActiveReports WebViewer to view the report. Internally ActiveReports is caching the report using some token and this token is available in Internet Explorer Developer tool network tab while fetching the report.

  Copied the URL from the network tab and logged out from the application.

  URL looks something like this
  
  http://localhost:53848/ActiveReports.ar12?Token=[b]8c22f81d-fe07-44b3-863a-a14707d8b019[/b]&Generation=1&Page=1&WebViewerControlClientId=DNAprofitWebViewer12&HtmlViewer=true

  Now once again signed on to the application as a different user and tried to access the URL copied from the previous session.

  Now ActiveReports returns the same report. In this response some other user’s
  
  report is fetched. This becomes Privilege Escalation using an Under-Privileged User security issue.

  Kindly suggest option to kill the session or token on closing the viewer.

  Thanks,
  
  Hariharan R

• 

  abdias.michael

  

  • Post Options:
  • Link
    Copy

  Posted 15 November 2018, 10:17 pm EST

  Hi Hariharan,

  To clear the cached report, you can make use of the reportLifetime and maxReportLifetime attributes of ActiveReports service in web.config. These attributes define the time period for which the reports will be cached on the server before destroying them. Please see the following documentation link for details on these - http://help.grapecity.com/activereports/webhelp/AR12/webframe.html#ReportServiceSettings.html

  Thanks