Hi Andrew,
Many thanks for the quick answer.
Yes I did mean encoding the session id in the url
("http://host/foo.jsp;jsessionid=123?page=Main";).
We want to disable cookies in our dev environment so that we can log
into the same app multiple times from the same browser; this makes
testing some things a lot easier. Firefox shares cookies between windows
unless you go to a lot of effort (setting up separate profiles). Note
that in the setup here, there is a large existing webapp with an
embedded jspwiki engine to serve the help pages; disabling a dev/test
feature in order to support the (small) help engine feature hasn't been
terribly popular.
I'm working on enabling this in JSPWiki anyway, but won't bother
submitting the patches here.
By the way, I don't see cookies as a lot more secure. The cookie text is
also sent in plain text in both the request and response bodies. There
aren't many cases where someone can intercept the url but not the
cookies. But thanks for the reference to OWASP; I'll have a look at what
they say about that.
Regards,
Simon
Andrew Jaquith schrieb:
> Putting the session ID in the URL (which is I think what you are
> asking about) is a fairly severe security risk. Cloning the session
> becomes trivial if the URL is obtained.
>
> I know that in certain locales (Germany, for example), it is believed
> that cookies represent an invasion of privacy. But, perversely,
> banning cookies actually decreases the overall level security for
> webapps because the session ID is now exposed in the URL. For this
> reason, the practice of adding session IDs to webapp URLs has always
> been discouraged by best-practice organizations such as OWASP.
>
> Janne's comment from 2006, I expect, still holds. We would encourage
> anyone who wishes to eliminate cookies -- in spite of best-practice
> advice from the security community -- to write their own patches. But
> it is extremely unlikely that JSPWiki will ever incorporate a "no
> cookie" (URL rewriting) feature.
>
> Andrew
>
> On Jun 18, 2008, at 10:20 AM, Simon Kitching wrote:
>
>> Hi,
>>
>> This email from 2006 says that "url rewriting" (ie having sessions
>> without cookies) is not supported by JSPWiki. Is this still true for
>> later releases?
>> http://www.nabble.com/URL-Rewriting-to6040752.html#a6042004
>>
>> Thanks,
>> Simon
>>
>
