Session Token Cookies, should we force them on our users - Security Series #6.2

As we've discussed before a session can be persisted using multiple methods. One of those methods is by passing the session token via the URL. An example would look like this:

Most of us have heard somewhere in our web development careers that this is a good way to persist a session if our users have cookies turned off. My question is, from a security stand point, should we allow this? Or should we force our users to have cookies enabled.

Most of us have probably also heard that old (crap) adage about the customer always being right and that we should support all of our users whether or not they have cookie enabled.

So if we want our application to be really secure, should we pass the session token in the URL string?

I say No.

Our URL string is too easily compromised, too easily mis-handled, and, frankly, it is an obnoxious pain to try to maintain session state through the URL.

It is my opinion that if you want a secure site, then session state should be persisted with session token cookies.

Problems with Session Tokens in the URL string

  • URL Sniffing - Unless you are using SSL on every page of your site where the session token would be used, it is too easy to have your URL string sniffed
  • URL Strings are logged in browser history and in server logs. If malicious users can get a hold of either in real-time or relatively quickly after your user logs off, then they could attack your applications
  • URL Strings are exposed in the browser window. Someone looking over a user's shoulder could obtain the session token. While this may be unlikely in some environments (like in a user's house), can you assume that all of your users are not going to use your application from their work, or the library, or the school computer lab.
  • Having the session token in ALL of your URL strings is bad for Search Engine Optimization (SEO). Depending on the purpose of your site, you may want to maintain session for anonymous users (like if they start a shopping cart before they create an account). Well when Googlebot shows up at your site, it will get a token and it will get passed around in the URL which will get indexed in Google. Not good.

So, I say force your users to have cookies enabled on your secure site. Cookies got a bad name sometime in the mid to late 90's and some people are paranoid. Are cookies really that bad? Users need to be educated. Cookies will make your site more secure and it is for your users' own good. Hit them with an educational message:

"This site requires the use of cookies to maintain the security of your private information. You will need to enable cookies in your browser settings before you can continue using this site."

Pat's Gravatar I agree totally, session ids in URLs are just plain bad.
# Posted By Pat | 12/27/08 12:35 PM
Himanshu's Gravatar Thanks to author for this informative article if you want to set the control panel on your desktop then here on our website you will get the process to set the control panel on your desktop in just few steps with the help of pictures.
# Posted By Himanshu | 6/13/18 6:36 AM
Abbie Alaric's Gravatar Returning to the articles, I've had a lot of educators (more often than not in the vast classes) allocate bologna assignments with little idea since they would prefer not to be there instructing over-advantaged youngsters. To put it plainly, I've discovered that the organization's crazy disposition causes a foundational issue all through the whole establishment on each level.
# Posted By Abbie Alaric | 6/25/18 7:45 AM
professional assignment writers's Gravatar Session cookies are bearer tokens which implies whoever has them can increase full access as the legitimate proprietor. You need to have the capacity to complete a couple of things to lessen chance. Ensuring that nobody other than the server can issue substantial qualifications is the absolute minimum and that is what is being done in express-session.
# Posted By professional assignment writers | 7/6/18 6:38 AM
Cape Business School's Gravatar Thanks for great information about session cookies and I appreciate your blog such a knowledgeable word.
# Posted By Cape Business School | 12/17/18 6:29 AM
BlogCFC was created by Raymond Camden. This blog is running version 5.9.1. Contact Blog Owner