I’ve been using the Zoom API to generate Zoom Meetings and I noticed that the Zoom seems to auto authenticate users that have used the start_url before. That means, the once a user has used the start_url once… they have to enter in as a host (unless they clear cookies out).
This is mostly problematic because the start_url won’t work for any users that need to use the web client. Meaning a user that uses the start_url is then forced to download and use the application.
Is there any way to prevent the join_url from being authenticated due to (possibly) cookies from the start_url joining?
How To Reproduce (If applicable)
Create a zoom meeting via API
Utilize the start_url and exit
Utilize the join_url and try to enter in with the web client. You are forced to login and then it link won’t work.
That way, if the user is not already signed in as a host/alt_host, they will be prompted for authentication and not just the user defined as part of the ZAK token.
Thanks for the suggestion. However, I believe that the join_url acts as a start_url without the ZAK token. The problem is the join_url seems to change into the start_ur if i’ve ever navigated to the start_url before.
I hope this makes sense. Let me know if I can provide more clarifications.
Just so I understand correctly, you are not wanting to use the Zoom App, you want to use the start_url for the Zoom Web Client? Can you provide your use case here?
We’re having the same issue. Actually, the issue comes from the Cookies left in the browser.
When using first the “start_url” with the zak token, seems like it’s writing something in the cookies.
Then, when closing Zoom (without being logged), and then use the simple “join_url” without any zak token, it goes-in automatically as the previous host!
It’s a huge security concern, because the previous start_url was not used with a login, but seems like it’s leaving traces of the host user in the browser.
Perhaps the solution would be not to write any cookies to the browser when using “start_url”.
Which other solution would you offer?
An additional point, which may be the essentiel point for me:
When using a custom join_url link for a invited user (zoom.us/w/MeetingID?tk=Token), it should override any saved cookie data from before. And now it’s not doing it…
I have no way to force the person to login as the “invited user” URL, if the the previous URL was a start_url, it would go inside as a host, even the Meeting is closed, and Zoom App is closed.
I’ve found out that if I go first to zoom.us/logout, before browsing to the join_url for the invited user, then the user comes as his real name, and not as a host.
I think this is a main security concern. There shouldn’t be any reason that when simply using a start_url link, it should leave traces on the zoom website…
same thing here. If I use a start_url, leave the meeting and then go to the join_url, I am still the host. This is true even if it is another meeting in our account. Can you please provide me with information wether we can expect a change here soon?
This should be fixed. Can you confirm that you’re not already logged into zoom.us or the Zoom Client as the meeting host when you click on the join_url? Does this still happen if you join via incgonito mode?
