Session Token Cookies, should we force them on our users - Security Series #6.2

As we've discussed before a session can be persisted using multiple methods. One of those methods is by passing the session token via the URL. An example would look like this:

http://www.12robots.com/index2.cfm?CFID=117&CFTOKEN=e621304242be97c-8F216602-AE2F-D27A-789369B5BCA64FA9&jsessionid=f030802dc74f8f6d44ceb1629493c5b71156

Most of us have heard somewhere in our web development careers that this is a good way to persist a session if our users have cookies turned off. My question is, from a security stand point, should we allow this? Or should we force our users to have cookies enabled.

Most of us have probably also heard that old (crap) adage about the customer always being right and that we should support all of our users whether or not they have cookie enabled.

So if we want our application to be really secure, should we pass the session token in the URL string?

I say No.

Our URL string is too easily compromised, too easily mis-handled, and, frankly, it is an obnoxious pain to try to maintain session state through the URL.

It is my opinion that if you want a secure site, then session state should be persisted with session token cookies.

Problems with Session Tokens in the URL string

  • URL Sniffing - Unless you are using SSL on every page of your site where the session token would be used, it is too easy to have your URL string sniffed
  • URL Strings are logged in browser history and in server logs. If malicious users can get a hold of either in real-time or relatively quickly after your user logs off, then they could attack your applications
  • URL Strings are exposed in the browser window. Someone looking over a user's shoulder could obtain the session token. While this may be unlikely in some environments (like in a user's house), can you assume that all of your users are not going to use your application from their work, or the library, or the school computer lab.
  • Having the session token in ALL of your URL strings is bad for Search Engine Optimization (SEO). Depending on the purpose of your site, you may want to maintain session for anonymous users (like if they start a shopping cart before they create an account). Well when Googlebot shows up at your site, it will get a token and it will get passed around in the URL which will get indexed in Google. Not good.

So, I say force your users to have cookies enabled on your secure site. Cookies got a bad name sometime in the mid to late 90's and some people are paranoid. Are cookies really that bad? Users need to be educated. Cookies will make your site more secure and it is for your users' own good. Hit them with an educational message:

"This site requires the use of cookies to maintain the security of your private information. You will need to enable cookies in your browser settings before you can continue using this site."

Comments
Pat's Gravatar I agree totally, session ids in URLs are just plain bad.
# Posted By Pat | 12/27/08 12:35 PM
BlogCFC was created by Raymond Camden. This blog is running version 5.9.1. Contact Blog Owner