Reputation: 8273
What is the concept of saving session id in cookie?
I am developing a secured website for an enterprise . I want it to be perfectly secured from all known vulnerabilities. I came across creating secure cookies and enabling HTTPOnly but in that example they were using cookie value being a sesssion Id. I didn't understand. Would not using this way can be a threat?
Upvotes: 3
Views: 3798
Answers (1)
Reputation: 88707
You need to send a session id to the client and back to the server in order to match requests coming from that client to the session.
AFAIK there are only two ways to pass the session id: as a cookie or as a parameter (in most cases that would have be a url parameter to support get requests). Sending the session id via parameter is a vulnerability though since an attacker could provide a link with a precrafted sesssion id (session fixation) while doing the same with cookies is at least hard (if not impossible).
Sending the session id via url parameters not only is a security problem though. Assume someone copies the url and sends it to someone ("hey look at this") or posts it somewhere on the web. As long as the session exists everyone accessing that link would use the same session and iterfere with each other. Granted, there are ways to identify a user regardless of session (ip, mac address etc.) but those measures often are not feasible or impose other restrictions (how would you handle roaming mobile users for example?).
Upvotes: 8
Related Questions
- What does "Could not find or load main class" mean?
- What is reflection and why is it useful?
- What is the difference between localStorage, sessionStorage, session and cookies?
- What are the differences between a HashMap and a Hashtable in Java?
- What is the difference between public, protected, package-private and private in Java?
- How do I expire a PHP session after 30 minutes?
- What is a serialVersionUID and why should I use it?
- How do I set/unset a cookie with jQuery?
- What is a JavaBean exactly?