An authentication flaw in browser-based single sign-on protocols: Impact and remediations