Private Allocations Security Enhancement
Overview
When an allocation is created, the contributor will receive an email alert which contains a hyperlink to the Web Contribution Page. Because a user can only create an allocation for a valid Breeze user, in earlier versions of Breeze there was no additional authentication when the contributor opened the hyperlink from his/her email to the web contribution page.
The onus was on the Breeze users to ensure that the allocation alert emails are not distributed to non-Breeze users.
However in earlier versions of Breeze, if a non-Breeze user got hold of such an email, he/she would have been able to access the web contribution page and view and update data. The purpose of Breeze 2.4 Update 1 is to address this security flaw.
Changes in the new release
After deployment of Breeze 2.4 Update 1 all users who attempt to access the Private Allocations Web Contribution page will be required to log in to Breeze first.
This means that if a non-Breeze users manage to get hold of the Allocation Alert Email, he/she will be required to log in first. If the user does not have a valid Breeze account, the log in attempt will fail and the user will not be able to access Breeze data.
Once a valid Breeze user has logged in to the Allocations Web Contribution page, standard session management rules will apply. This means that the user can log out and terminate the Breeze session from this page. It also means that if the user was already logged in to Breeze at the time of opening this page, he/she would not need to log in again.
Comments