Hi,

I would like to ask what's the benefit of passing the session id in the url as I have seen many website does it? and what are the possible use of it when it's in the url?

Thanks,
Jassim

    If either the user isn't allowing cookies to be stored or you're having them transition from one page to another that might make it hard to carry the SID(different subdomains or session managers, for instance), it's a handy way to make sure the proper session remains associated with the user.

      While handy, it is also a security risk, e.g., it makes it easier for an attacker to try session fixation by passing a link to an unsuspecting user who then uses the session without realising that the attacker also has access to the session.

        laserlight;11046927 wrote:

        While handy, it is also a security risk, e.g., it makes it easier for an attacker to try session fixation by passing a link to an unsuspecting user who then uses the session without realising that the attacker also has access to the session.

        I believe what laserlight refers to is called "session fixation."

        OWASP has a handy cheat sheet for dealing with sessions which looks pretty informative.

        Another issue with putting the session id in the url is that users might copy and email this url to others (or paste it in a text message or IM client or something), not realizing that giving another user the session id will also grant them access to one's account.

        You can usually mitigate this risk by having your code make sure that IP addresses do not change for a session (and possibly user agents, etc.), but this has its own inconveniences.

          Oops. Apparently laserlight already mentioned that it's called 'session fixation.' I should pay more attention.

          laserlight, fyi:

          laserlight has exceeded their stored private messages quota and cannot accept further messages until they clear some space.

            sneakyimp wrote:

            laserlight has exceeded their stored private messages quota and cannot accept further messages until they clear some space.

            Shh... that's my secret to prevent random people asking me to do things for them personally.

            Or maybe it is just 12 years of messages. Hmm...

              Write a Reply...