An Authentication Flaw in Browser-based Single Sign-On Protocols: Impact and Remediations