Knowledge Base

April 2008 - The PaperCut code based has been recently externally reviewed from a security standpoint. As a result of this review a number of potential cross-site request forgery attacks (XSRF) were found. This is a relatively new and emerging attack vector. The potential XSRF vectors were closed up in the 8.2 release. The security advice on the NTLM topic was that we should keep with our transient authentication method and all SSO code should be removed. Moving back to NTLM/SSO would be equivalent to introducing persistent authentication and would be against XSRF best security practice, unnecessarily exposing users.

keywords: single sign on, signon, interface, web tools, login, NTLM, integrated authentication, auth, automatic login, Windows authentication

To prevent these issue we have designed PaperCut NG to require username/password authentication when the end-user pages are initially accessed. The new authentication method also provides a consistent login interface for users across all operating systems. The login screen can also be quickly customized to include your organization logo providing an official look.

The problem was that students would momentarily leave their desktop and another student could jump in, open the browser, and transfer funds out of their account or gain access to other sensitive data or functions. The same can be said for “admin” level users, although with more severe consequences!

Another related issue covers a new area of security attack, cross-site request forgery (XSRF). In 2008 an external security advisor demonstrated a successful attack against PaperCut with SSO enabled.

To prevent these issue we have designed PaperCut NG to require username/password authentication when the end-user pages are initially accessed. The new authentication method also provides a consistent login interface for users across all operating systems. The login screen can also be quickly customized to include your organization logo providing an official look.

Most customers prefer the security and consistency of the new authentication system. Some however prefer the legacy behavior of the older releases. The developers have noted this request and are considering adding a non-default option to re-enable the legacy single sign-on (SSO) behavior in a future release. This will only happen after XSRF mitigation measures such as image captcha are in place in key areas of the application (e.g. balance transfer).

April 2008 - The PaperCut code based has been recently externally reviewed from a security standpoint. As a result of this review a number of potential cross-site request forgery attacks (XSRF) were found. This is a relatively new and emerging attack vector. The potential XSRF vectors were closed up in the 8.2 release. The security advice on the NTLM topic was that we should keep with our transient authentication method and all SSO code should be remove. Moving back to NTLM/SSO would be equivalent to introducing persistent authentication and would be against XSRF best security practice, unnecessarily exposing users.

Q Why do users have to log in when accessing the end-user web pages? Can I implement single sign-on (e.g. NTLM, Yale CAS)?

Categories: User Web Interface

(:title PaperCut NG User Web Interface Logins:)

Q Why do users have to log in when accessing the end-user web pages? Can I implement single sign-on?

This is a controversial topic. Older versions of PaperCut used to implement single sign-on, meaning that users could access the user interface by simply clicking on the Details… link in the client or bringing up the required URL in a browser. No login was required. This however caused a number of problems in an education environment. The user web interface exposes sensitive information and features such as funds transfer.

The problem was that students would momentarily leave their desktop and another student could jump in, open the browser, and transfer funds out of their account or gain access to other sensitive data or functions. The same can be said for “admin” level users, although with more severe consequences! To prevent this we have designed PaperCut NG to require username/password authentication when the end-user pages are initially accessed. The new authentication method also provides a consistent login interface for users across all operating systems. The login screen can also be quickly customized to include your organization logo providing an official look.

Most customers prefer the security and consistency of the new authentication system. Some however prefer the legacy behavior of the older releases. The developers have noted this request and are considering adding a non-default option to re-enable the legacy single sign-on (SSO) behavior in a future release.

April 2008 - The PaperCut code based has been recently externally reviewed from a security standpoint. As a result of this review a number of potential cross-site request forgery attacks (XSRF) were found. This is a relatively new and emerging attack vector. The potential XSRF vectors were closed up in the 8.2 release. The security advice on the NTLM topic was that we should keep with our transient authentication method. Moving to NTLM/SSO would be equivalent to introducing persistent authentication and would be against XSRF best security practice, unnecessarily exposing users.

PaperCut NG version 9+ now includes some web widgets. If the aim is to provide users with simple access to view their balance or environmental impact within your intranet environment then the web widgets may satisfy these requirements.

Categories: PaperCut Quota Web Tools

keywords: single sign on, interface, web tools, login, NTLM, integrated authentication, auth, automatic login, Windows authentication

PaperCut NG version 9+ now includes some web widgets. If the aim is to provide users with simple access to view their balance or environmental impact within your intranet environment, the web widgets may satisfy these requirements.

Other Options:

PaperCut NG version 9 now includes some web widgets. If the aim is to provide users with simple access to view their balance or environmental impact within your intranet environment, the web widgets may satisfy these requirements.

April 2008 - The PaperCut code based has been recently externally reviewed from a security standpoint. As a result of this review a number of potential cross-site request forgery attacks (XSRF) were found. This is a relatively new and emerging attach vector. The potential XSRF vectors were closed up in the 8.2 release. The security advice on the NTLM topic was that we should keep with our transient authentication method. Moving to NTLM/SSO would be equivilent to introducing persistent authentication and would be against XSRF best security practice and would unnecessarily expose users.

The problem was that students would momentarily leave their desktop and another student could jump in, open the browser, and transfer funds out of their account or gain access to other sensitive data or functions. The same can be said for “admin” level users, although with more severe consequences! To prevent this, we have designed PaperCut NG to require username/password authentication when the end-user pages are initially accessed. The new authentication method also provides a consistent login interface for users across all operating systems. The login screen can also be quickly customized to include your organization logo providing an official look.

Most customers prefer the security and consistency of the new authentication system. Some however prefer the legacy behavior of the older releases. The developers have noted this request and are considering adding a non-default option to re-enable the legacy single-signon (SSO) behavior in a future release.

Most customers prefer the security and consistency of the new authentication system. Some however prefer the legacy behavior of the older releases. The developers have noted this request and are planing on adding a non-default option to re-enable the legacy single-signon (SSO) behavior in a future release.

April 2008 - The PaperCut code based has been recently externally reviewed from a security standpoint. As a result of this review a number of potential cross-site request forgery attacks (XSRF) were found. This is a relatively new and emerging attach vector. The potential XSRF vectors were closed up in the 8.2 release. The security advice on the NTLM topic was that we should keep with our transient authentication method. Moving to NTLM/SSO would be equivilent to introducing persistent authentication and would be against XSRF best security practice. NTLM would be equivilent to introducing persistent authentication and would unnecessarily expose users.

Latest Review

April 2008 - The PaperCut code based has been recently externally reviewed from a security standpoint. As a result of this review a number of potential cross-site request forgery attacks (XSRF) were found. This is a relatively new and emerging attach vector. The potential XSRF vectors were closed up in the 8.2 release. The security advice on the NTLM topic was that we should keep with our transient authentication method. Moving to NTLM would be equivilent to introducing persistent authentication and would be against XSRF best security practice. NTLM would be equivilent to introducing persistent authentication and would unnecessarily expose users.

Most customers prefer the security and consistency of the new authentication system. Some however prefer the legacy behavior of the older releases. The developers have noted this request and are planing on adding a non-default option to re-enable the legacy single-signon behavior in a future release.

This is a controversial topic. Older versions of PaperCut use to implement single-signon, meaning that users could access the end-user pages by simply clicking on the Details… link in the client or bringing up the required URL in a browser. No login was required. This however caused a number of problems in an education environment. The end-user pages expose sensitive information and a number of advanced features such as funds transfers.

Most customers prefer the security and consistency of the new authentication system. Some however prefer the legacy behavior of the older releases. The developers are planing on adding a non-default option to re-enable the legacy single-signon behavior in a future release.

This is a controversial topic. PaperCut Quota used to implement single-signon, meaning that users could access the end-user pages by simply clicking on the Details… link in the client or bringing up the required URL in a browser. No login was required. This however caused a number of problems in an education environment. The end-user pages expose sensitive information and a number of advanced features such as funds transfers.

The problem was that students would momentarily leave their desktop and another student could jump in, open the browser, and transfer funds out of their account or gain access to other sensitive data or functions. The same can be said for “admin” level users, although with more severe consequences! To prevent this, we have designed PaperCut NG to require username/password authentication when the end user pages are initially accessed. The new authentication method also provides a consistent login interface for users across all operating systems. The login screen can also be quickly customized to include your organization logo providing an official look.

(:title PaperCut NG End-user Web login:)

This is a controversial topic. PaperCut Quota use to implement single-signon meaning that users could access the end-user pages by simply clicking on the Details… click in the client or bringing up the required URL in a browser. No login was required. This however caused a number of problems in an education environment. The end-user pages expose sensitive information and a number of advanced features such as funds transfers. The problem was that students would momentarily leave their desktop and another student could jump in, open the browser, and transfer funds out of their account or gain access to other sensitive data or functions. That same can be said for “admin” level users; again with even more severe consequences! To prevent this, we have designed PaperCut NG to require username/password authentication when the end user pages are initially accessed. The new authentication method also provides a consistent login interface for users across all operating systems. The login screen can also be quickly customized to include your organization logo providing an official look.

This is a controversial topic. PaperCut Quota use to implement single-signon meaning that users could access the end-user pages by simply clicking on the Details… click in the client or bringing up the required URL in a browser. No login was required. This however caused a number of problems in an education environment. The end-user pages expose sensitive information and a number of advanced features such as funds transfers. The problem was that students would momentarily leave their desktop and another student could jump in, open the browser, and transfer funds out of their account or gain access to other sensitive data or functions. That same can be said for “admin” level users; again with even more severe consequences! To prevent this, we have designed PaperCut NG to require username/password authentication when the end user pages are initially accessed. The new authentication method also provides a consistent login interface for users across all operating systems.

This is a controversial topic. PaperCut Quota use to implement single-signon meaning that users could access the end-user pages by simply clicking on the Details… click in the client or bringing up the required URL in a browser. No login was required. This however caused a number of problems in an education environment. The end-user pages expose sensitive information and a number of advanced features such as funds transfers. The problem was that students would momentarily leave their desktop and another student could jump in, open the browser, and transfer funds out of their account or gain access to other sensitive data or functions. To prevent this, we have designed PaperCut NG to require username/password authentication when the end user pages are initially accessed. The new authentication method also provides a consistent login interface for users across all operating systems.

Most customers prefer the security and consistency of the new authentication system. Some however prefer the legacy behavior of PaperCut Quota. The developers are planing on adding a non-default option to enable the legacy single-signon behavior in a future release.

This is a controversial topic. PaperCut Quota use to implement single-signon meaning that users could access the end-user pages by simply clicking on the Details… click in the client or bringing up the required URL in a browser. No login was required. This however caused a number of problems in an education environment. The end-user pages expose sensitive information and a number of advanced features such as funds transfers. The problem was that students would momentarily leave their desktop and another student could jump in, open the browser, and transfer funds out of their account or gain access to other sensitive data or functions. To prevent this, we have designed PaperCut NG to require username/password authentication when the end user pages are initially accessed.

keywords: single sign on, interface, web tools, login, NTLM, integrated authentication, auth

keywords: single sign on, interface, web tools, login, NTLM, integrated authentication

Most customers prefer the security of the new authentication system. Some however prefer the legacy behavior of PaperCut Quota. The developers are planing on adding a non-default option to enable the legacy single-signon behavior in a future release.

Categories: WebTools

(:title PaperCut NG End-user login:)

(title: PaperCut NG End-user login:)

This is a controversial topic. PaperCut Quota use to implement single-signon meaning that users could access the end-user pages by simply clicking on the Details… click in the client or bringing up the required URL in a browser. No login was required. This however caused a number of problems in an education environment. The end-user pages expose sensitive information and a number of advanced features such as funds transfers. The problem was that students would momentarily leave their desktop and another student could jump in, open the browser, and transfer funds out of their account. To prevent this, we have designed PaperCut NG to require username/password authentication when the end user pages are initially access.

keywords: single sign on, interface, web tools, login, NTLM

This is a contriverial topic. PaperCut Quota use to implement single-signon meaning that users could access the end-user pages by simply clicking on the Details… click in the client or bringing up the required URL in a browser. No login was required. This however caused a number of problems in an education environment. The end-user pages expose sensitive information and a number of advanced features such as funds transfers. The problem was that students would momentarily leave their desktop and another student could jump in, open the browser, and transfer funds out of their account. To prevent this, we have designed PaperCut NG to require username/password authentication when the end user pages are initially access.

Most customers prefer the security of the new authentication system. Some however prefer the legacy behaviour of PaperCut Quota. The developers are planing on adding a non-default option to enable the legacy single-signon behaviour in a future release.

(title: PaperCut NG End-user login)

Q Why do users have to log in when accessing the end-user web pages? Can I implement single-signon.

This is a contriverial topic. PaperCut Quota use to implement single-signon meaning that users could access the end-user pages by simply clicking on the Details… click in the client or bringing up the required URL in a browser. No login was required. This however caused a number of problems in an education environment. The end-user pages expose sensitive information and a number of advanced features such as funds transfers. The problem was that students would momentiarially leave their desktop and another student could jump in, open the browser, and transfer funds out of their account. To prevent this, we have designed PaperCut NG to require username/password authentication when the end user pages are intially access.

Most customers prefer the security of the new authentication system. Some however perfer the legacy behaviour of PaperCut Quota. The developers are planing on adding a non-default option to enable the legacy single-signon behavour in a future release.

[keywords: single sign on, interface, web tools, login]

Categories: WebTools