How to prevent auto authentication on join_url after using start_url?

Hey Tommy,

What do you mean by exit?

I click on a link that goes to the start_url and close the browser window before entering the meeting.

Is this the same user that is using both the start and join url?

Hmm, it is the same person. But we aren’t having our users authenticate prior to clicking the start_url

Hey samly,

Thanks for the suggestion. However, I believe that the join_url acts as a start_url without the ZAK token. The problem is the join_url seems to change into the start_ur if i’ve ever navigated to the start_url before.

I hope this makes sense. Let me know if I can provide more clarifications.

Hey @edwinthinks,

Thanks for the additional details. Can you share what device / Zoom App version you are using so I can have the engineers look into this further?

-Tommy

Hey there Tommy,

I am using a Mac 10.14.6 and I was using Zoom Client 4.0? Although this problem seems to happen without using the app it seems.

Thanks!

Hey @edwinthinks,

Just so I understand correctly, you are not wanting to use the Zoom App, you want to use the start_url for the Zoom Web Client? Can you provide your use case here?

Thanks,
Tommy

Hello,

We’re having the same issue. Actually, the issue comes from the Cookies left in the browser.

When using first the “start_url” with the zak token, seems like it’s writing something in the cookies.
Then, when closing Zoom (without being logged), and then use the simple “join_url” without any zak token, it goes-in automatically as the previous host!

It’s a huge security concern, because the previous start_url was not used with a login, but seems like it’s leaving traces of the host user in the browser.

Perhaps the solution would be not to write any cookies to the browser when using “start_url”.
Which other solution would you offer?

Thanks

An additional point, which may be the essentiel point for me:

When using a custom join_url link for a invited user (zoom.us/w/MeetingID?tk=Token), it should override any saved cookie data from before. And now it’s not doing it…
I have no way to force the person to login as the “invited user” URL, if the the previous URL was a start_url, it would go inside as a host, even the Meeting is closed, and Zoom App is closed.

I’ve found out that if I go first to zoom.us/logout, before browsing to the join_url for the invited user, then the user comes as his real name, and not as a host.

I think this is a main security concern. There shouldn’t be any reason that when simply using a start_url link, it should leave traces on the zoom website…

Please advise,

Thanks

Hey @osdev,

Thanks for sharing these details, I will pass them to our engineering asap so we can investigate and fix the issue. (ZOOM-171226)

Thanks,
Tommy

Hey @osdev,

I have just private messaged you to request the start_url and join_url so we can reproduce the issue.

Thanks,
Tommy

Hi @tommy,

same thing here. If I use a start_url, leave the meeting and then go to the join_url, I am still the host. This is true even if it is another meeting in our account. Can you please provide me with information wether we can expect a change here soon?

Kind regards,
Ben

Hey @online-days,

We are looking into this issue. We should have an update on its status by next week.

Thanks,
Tommy

Hey @online-days, @osdev, @edwinthinks, @samly,

Our engineering team is testing this and looking into the best way to implement the fix. I will keep you all updated on it’s development.

Thanks,
Tommy

Hey @online-days,

Can you please provide a video of this? Our engineers need more details.

Thanks,
Tommy

Hey @samly, @osdev, @online-days, @edwinthinks,

This will be fixed later this month. :slight_smile:

Thanks,
Tommy

is ZOOM-171226 already fixed? i still act as host when using join url

THANK FOR SHARING YOUR WORDS ABOUT best boom mic for dslr.

Hi @dpb36dpb36,

This should be fixed. Can you confirm that you’re not already logged into zoom.us or the Zoom Client as the meeting host when you click on the join_url? Does this still happen if you join via incgonito mode?

Let me know—thanks!
Will

This is not fixed. I am able to reproduce exactly as described in May last year. Being able to allow someone else to join as the host is actually desirable, but it must be just for that meeting.

However, I can clear the token on the Join URL if I add ‘?token=’ to the link, so perhaps that is the fix? Please confirm.

@matt_b are you already logged into zoom.us or the Zoom Client as the meeting host when you click on the join_url?