in reply to Re: Another question about session-id
in thread Another question about session-id

since the session ID is displayed in plain view in the browser's address bar and could be easily hijacked by a passerby

While I applaud your attention to security, I think you're passing the security boundary and into paranoia. If someone passing by can easily remember a sessionid then either your session ids are way too small or the person is wasting their time and should be in a casino somewhere counting cards.

But ... if you're still really worried, you could combine the true session id with something else, a nonce, that isn't seen by the passerby. Some people use the ip address of the incoming request but you really need to know your clients to do that (there could easily be lot's of clients coming from the same nat gateway). Or you could create a nonce on your own and insert it as a hidden field. The problem there ... every request would need to be a POST.

Personally, I've given up on the people who do not accept cookies. The only thing I try to do is minimize the number of cookies I create (I'm almost down to one!). It's a trade-off.

  • Comment on Re^2: Another question about session-id

Replies are listed 'Best First'.
Re^3: Another question about session-id
by dsheroh (Monsignor) on Dec 17, 2007 at 06:15 UTC
    While I agree that concern with passers-by memorizing or writing down a session ID in the URL is excessive (especially since most sites' session IDs are tacked onto the end of a URL that's large enough that it isn't all displayed on the screen anyhow), putting it in the URL also means that it will be recorded in the server's access log as well as any intermediate proxy logs. Those logs may be readable by untrusted third parties, creating a possible threat. (I wouldn't go so far as to call it a likely threat, but it's nowhere near as remote a possibility as someone looking over your shoulder and getting it off the screen.)

    In any case, like you, I've pretty well taken the position that cookies are a fact of life if you want to log in to a site, so just enable them (but disable third-party cookies if your browser has that option) and get on with it.