How to prevent auto authentication on join_url after using start_url?

Description

Hello,

I’ve been using the Zoom API to generate Zoom Meetings and I noticed that the Zoom seems to auto authenticate users that have used the start_url before. That means, the once a user has used the start_url once… they have to enter in as a host (unless they clear cookies out).

This is mostly problematic because the start_url won’t work for any users that need to use the web client. Meaning a user that uses the start_url is then forced to download and use the application.

Is there any way to prevent the join_url from being authenticated due to (possibly) cookies from the start_url joining?

How To Reproduce (If applicable)

  1. Create a zoom meeting via API
  2. Utilize the start_url and exit
  3. Utilize the join_url and try to enter in with the web client. You are forced to login and then it link won’t work.

Hey @edwinthinks,

That is strange. The start_url should not collide with the join_url logic.

What do you mean by exit?

Is this the same user that is using both the start and join url?

Thanks,
Tommy

You could strip the ZAK token from the start_url or just build it yourself:

https://zoom.us/s/meetingID

That way, if the user is not already signed in as a host/alt_host, they will be prompted for authentication and not just the user defined as part of the ZAK token.

Hey Tommy,

What do you mean by exit?

I click on a link that goes to the start_url and close the browser window before entering the meeting.

Is this the same user that is using both the start and join url?

Hmm, it is the same person. But we aren’t having our users authenticate prior to clicking the start_url

Hey samly,

Thanks for the suggestion. However, I believe that the join_url acts as a start_url without the ZAK token. The problem is the join_url seems to change into the start_ur if i’ve ever navigated to the start_url before.

I hope this makes sense. Let me know if I can provide more clarifications.

Hey @edwinthinks,

Thanks for the additional details. Can you share what device / Zoom App version you are using so I can have the engineers look into this further?

-Tommy

Hey there Tommy,

I am using a Mac 10.14.6 and I was using Zoom Client 4.0? Although this problem seems to happen without using the app it seems.

Thanks!

Hey @edwinthinks,

Just so I understand correctly, you are not wanting to use the Zoom App, you want to use the start_url for the Zoom Web Client? Can you provide your use case here?

Thanks,
Tommy

Hello,

We’re having the same issue. Actually, the issue comes from the Cookies left in the browser.

When using first the “start_url” with the zak token, seems like it’s writing something in the cookies.
Then, when closing Zoom (without being logged), and then use the simple “join_url” without any zak token, it goes-in automatically as the previous host!

It’s a huge security concern, because the previous start_url was not used with a login, but seems like it’s leaving traces of the host user in the browser.

Perhaps the solution would be not to write any cookies to the browser when using “start_url”.
Which other solution would you offer?

Thanks

An additional point, which may be the essentiel point for me:

When using a custom join_url link for a invited user (zoom.us/w/MeetingID?tk=Token), it should override any saved cookie data from before. And now it’s not doing it…
I have no way to force the person to login as the “invited user” URL, if the the previous URL was a start_url, it would go inside as a host, even the Meeting is closed, and Zoom App is closed.

I’ve found out that if I go first to zoom.us/logout, before browsing to the join_url for the invited user, then the user comes as his real name, and not as a host.

I think this is a main security concern. There shouldn’t be any reason that when simply using a start_url link, it should leave traces on the zoom website…

Please advise,

Thanks

Hey @osdev,

Thanks for sharing these details, I will pass them to our engineering asap so we can investigate and fix the issue. (ZOOM-171226)

Thanks,
Tommy

Hey @osdev,

I have just private messaged you to request the start_url and join_url so we can reproduce the issue.

Thanks,
Tommy

Hi @tommy,

same thing here. If I use a start_url, leave the meeting and then go to the join_url, I am still the host. This is true even if it is another meeting in our account. Can you please provide me with information wether we can expect a change here soon?

Kind regards,
Ben

Hey @online-days,

We are looking into this issue. We should have an update on its status by next week.

Thanks,
Tommy

Hey @online-days, @osdev, @edwinthinks, @samly,

Our engineering team is testing this and looking into the best way to implement the fix. I will keep you all updated on it’s development.

Thanks,
Tommy

Hey @online-days,

Can you please provide a video of this? Our engineers need more details.

Thanks,
Tommy