Cookiless Session Is it a security risk?

Question

Hi

http://msdn.microsoft.com/en-us/library/aa479314.aspx

You have a user who successfully log in from a machine in Cybercafe, Hacker H able to sniff the network and get the sessionID of the user, Can H use the sessionId and act as the user from another machine?

Can H enter http://folder/(session id)/CreditCardInformation.aspx to know the credit card number of the user?

Answer 1

Yes.

If the hacker gets your session id, he can do whatever you can do on that website.

To prevent this, the authentication form and all subsequent pages are always served over https. Among other things, https eliminates (or atleast reduces) man in the middle attacks.

Answer 2

Well that depends on a lot of things.

Basically, YES, if you know a URL, you can see what is behind. The hacker will be able to do whatever he wants once he/she has the session id.

A cookie based session id can also be intercepted by the hacker if he/she has access to the http flow.

Nevertheless there are a few additional securities that can be put in place. For example :

• (session id) should be valid only for a short period
• (session id) can be valid only for a specific IP (the IP that created the session)
• (session id) can be valid only for a certain user-agent / flash version / .. signature
• (session id) can be changed for each new page view, deprecating the previous session_id

When handling credit card information,

1. Always use https. It is more secure because the datas are encrypted between at least the browser and the first https proxy on the route to the server
2. The case when you would need to manipulate credit card information yourself are rare. Websites handling credit card by themselves nowadays are more and more forced to respect the PCI/DSS rules which can be quite a burden. You should probably get a contract with a banking solution where the credit card will be submited on their web pages, or use paypal for instance.
3. Never keep credit card information in your database unless you have the necessary security solutions in place, with a regular external audit.

The following link may give you further insights on session id best practices.

I hope this will help you Jerome WAGNER

Answer 3

In a word, Yes, for the reasons described by other posters.

Of course, if you use an unencrypted HTTP connection to pass Credit Card Information he'll be able to sniff that credit card info directly no matter what session info you enter. You need to implement ssl/https no matter what session method you use.

Answer 4

I am a bit concerned that no one has listed these 2 attacks:

1) Session Fixation A hacker vists your web site and gets one of these session urls. He then sends out many spoofed emails to probable users to make them appear as though they are coming from your site. The email is asking the to login and they are given a session url by the attacker. Then, the attacker checks the session url periodically to see if someone has authenticated. If they have, then the attack succeeded and the hacker just stole an account. A fix to this issue is to store the user's ip address in a session variable upon creation and check it for each request. If you are only passing the session id via Cookie then an attacker cannot set the cookie value on another browser for a domain he doesn't control, thus this attack cannot be carried out.

2) A Printer: Sometimes people print a a page from a website. Ever look at the very bottom of a page printed from a website? Well, usually the URL of the page is there. If you where to print out a page, and then give it to someone it is as if you just wrote down your username/password and gave it to them.

Avoid session urls at all costs.

Use SSL for the entire session. If you don't then you will leak the session id (this is true if you are using a cookie!). This use of ssl is a clear requirement of A3 "Broken Authentication and Session management" OWASP top 10 for 2010.