What, exactly, are the security concerns with sending session tokens in the URL?

views:

answers:

+1 Q:

What, exactly, are the security concerns with sending session tokens in the URL?

I'm building a Flex client against a Struts backend and I have to find a way to transmit the session token without relying on cookies, because I can't use cookies in a Flash movie.

I'm looking at putting the token in either the message body or the URL. Putting it in the URL has somewhat of a bad reputation, security-wise. However, I just read up on session hijacking, CSRF and XSS, and I couldn't really see why it should be worse than cookies. If anything, not having a cookie that is transparently sent along whenever you access a particular domain is more secure, or is it?

Basically, the only reason I can see is that the token is visible in the request and might be leaked via the browser history, a web server log etc. How bad is this really, and are there ways to mitigate risks? What other risks might there be?

Possible Duplicate: Session Id in url and/or cookie?

+4 A:

How bad is this? Well, one of our competitors had a link from their internal (session based pages) to our site and I saw it on the server logs. Quick copy and paste with the /sess/sess_34984923_34423423/ type stuff and I was logged into their system with full access permissions of that user (luckily, they weren't an administrator and it wasn't anything "super secure" like a bank/email etc: but still).

Also, depending on how exactly you implement it, the full url (including the session token) could be cache by proxy servers and even by Google (if people use the Google toolbar).

The way I've done this Flash session interactivity is to send a session identifier in the Flash parameters (in the HTML) to the Flash which then sends it back to the server. I've found most browsers/Flash combinations also send the cookie which I further authenticate against.

Richy C. 2010-01-29 10:18:44

Right, I forgot the `Referer` header, that *is* bad enough. Do you have any more detailed Info on how and when Flash actually does send the session cookie? I sort of assumed that it would, but at least with JSESSIONID, it didn't. Also, by "which then send it back to the server", do you mean, it does so automatically, and in which part of the request do you do it?

Hanno Fietz 2010-01-29 10:30:59

Could you bind the session value to their originating IP and maybe a hash of thier user agent string ? That might make it a tad safer but its far from perfect if multiple people connect from the same ip (like a company network, multiple home users ect)

mrwayne 2010-01-29 11:05:15

When using Flash, I've seen some browsers send the Flash "user-agent" instead of their own - so mrwayne's wont work.I've found under PHP (using a custom cookie name), it was being passed (checked with all major browsers). The last paragraph, I just have a flashparameter which Flash just sends back via the AMF call to the server (are you using AMF or some other communications system between Flash and the server)?

Richy C. 2010-01-29 14:21:51

+1 A:

I have an anecdote for you. I was filling out some paperwork for a well known company in the US. They printed out a confrontation page generated by a web application, how do I know? At the bottom of the page Window's print manager included the URL which had the JSSESSIONID.

Let me be clear, the employee just handed me a sheet of paper that would allow me to login immediately as if I had their username and password. DOAH!

Rook 2010-01-29 16:46:59

ansaurus

tags:

views:

answers:

What, exactly, are the security concerns with sending session tokens in the URL?

related questions