开发者

Passing session identifier as a query string parameter

Are there any security practices/techniques/considerations when, for example during (long/continuous) polling or normal requests between clients and server, session ID is sent/passed to the server as开发者_如何学Python a query string parameter instead of a value stored in a cookie?

I can think of session hijacking or sniffing when someone would stole this session ID from query string and use it to impersonate himself, but I think the same thing can also happen to cookie value (I guess this can be prevented only by using https).


When passing session tokens as URL params two things you specifically need to worry about is browser history and server logs. URL params are typically stored in both and are then exposed in plaintext whether or not you use SSL.

They can also accidentally be exposed by end-users if they were to copy and paste from the browser to Twitter, for example.

It doesn't sound like you are talking about normal browsing. But if you are, then using URL params is strongly discouraged.

You also mentioned polling, but in my experience, if a cookie is available then it is sent along in the polling request removing the need for it to be in the URL.

And for server to server traffic you still need to worry about IDs being saved in the server logs.

The only argument I have ever heard for using session tokens in URL is to accomodate users who have cookies disabled. I prefer to pretend like those users don't exist.


In addition to the risks that Jason mentions, a third risk is that the session token might be disclosed to other sites via the Referer: header. I would not recommend sending the session token as a query string parameter.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜