I got a question from a customer regarding the possibility to not have custSessionKey visible in the browser when you are logged in to a customer center.
By default this is how the customer center looks out of the box:
If you remove the highlighted part of the URL in the snipp above you get logged back out.
One of our customers from time to time send URL's from the CC to other employees.
Since the custSessionKey is included in the URL the receiver (user2) of the URL get logged in on the behalf of another user(user1).
They want to make sure this can not happend, and have introduced routines internally to edit the URL before sending it to someone else.. But this is only a good solution as long as every do as they are told, and from time to time this slips up and they ask me/us if its possible to handle this automatically.
The only way i can think of is to use window.location.replace and remove it from the URL on page load, but that would just throw them out of the CC.
It looks to be 'by design' and i'm not sure what to tell them when they ask why this is not stored in cookies instead of in the URL directly (?).
Has anyone done anything 'smart' to circumvent this 'issue'?