 |
URL-based session is insecure and so is JavaBlogs.comSeptember 2nd, 2008 | by Jevgeni Kabanov | |
There are two main ways to associate a session state with a user — session cookies and session URL parameters. However for public sites there may be some risks for the URL-based approach.
Cookies are saved on the computer and are only ever sent in requests to the domain that has saved them. They have always been a focus of security attacks and thus they are pretty well protected. E.g. they cannot be accessed by the included third-party JavaScripts, which is important considering the current proliferation of web widgets.
On the other hands URLs are definitely accessible to the third-party scripts. What’s even worse, is that the browser will send the URL of the previous page as Referrer, when you click a link to go to the third-party site. Since most web servers will log the Referrer the owner of that site can access the logged-in user session as long as it’s live and possibly access private user data.
We hit this issue, when watching the statistics for ZeroTurnaround and clicking on a referrer link to JavaBlogs.com, which uses URL-based sessions. To our surprise we could access the logged in user data. Of course on JavaBlogs there’s not really that much data to access, but on another site this could be a serious issue.
For all I know this issue could be a very old and well-known one, but I never heard of it and apparently neither have JavaBlogs owners. If you’re making a public site make sure to keep this in mind.