Hi Andrew, Many thanks for the quick answer.
Yes I did mean encoding the session id in the url ("http://host/foo.jsp;jsessionid=123?page=Main"). We want to disable cookies in our dev environment so that we can log into the same app multiple times from the same browser; this makes testing some things a lot easier. Firefox shares cookies between windows unless you go to a lot of effort (setting up separate profiles). Note that in the setup here, there is a large existing webapp with an embedded jspwiki engine to serve the help pages; disabling a dev/test feature in order to support the (small) help engine feature hasn't been terribly popular. I'm working on enabling this in JSPWiki anyway, but won't bother submitting the patches here. By the way, I don't see cookies as a lot more secure. The cookie text is also sent in plain text in both the request and response bodies. There aren't many cases where someone can intercept the url but not the cookies. But thanks for the reference to OWASP; I'll have a look at what they say about that. Regards, Simon Andrew Jaquith schrieb: > Putting the session ID in the URL (which is I think what you are > asking about) is a fairly severe security risk. Cloning the session > becomes trivial if the URL is obtained. > > I know that in certain locales (Germany, for example), it is believed > that cookies represent an invasion of privacy. But, perversely, > banning cookies actually decreases the overall level security for > webapps because the session ID is now exposed in the URL. For this > reason, the practice of adding session IDs to webapp URLs has always > been discouraged by best-practice organizations such as OWASP. > > Janne's comment from 2006, I expect, still holds. We would encourage > anyone who wishes to eliminate cookies -- in spite of best-practice > advice from the security community -- to write their own patches. But > it is extremely unlikely that JSPWiki will ever incorporate a "no > cookie" (URL rewriting) feature. > > Andrew > > On Jun 18, 2008, at 10:20 AM, Simon Kitching wrote: > >> Hi, >> >> This email from 2006 says that "url rewriting" (ie having sessions >> without cookies) is not supported by JSPWiki. Is this still true for >> later releases? >> http://www.nabble.com/URL-Rewriting-to6040752.html#a6042004 >> >> Thanks, >> Simon >> >