Re: Maintain Session without Cookies?

I guess one advantage of not using cookies, is you can maintain sessions on devices that do not accept cookies, such as pda's and phones.

The biggest disadvantage is the ease in which a session can be hijacked.

If, for example, you cut and paste the URL and email it to another person, they will have your session. Its a rather simplistic example, but is a threat I would consider, especially if you have personal information on your site.

Here is a good article outlining good web session security. It may be a little overkill, but great reading.

Update: To help cover against the hijacking, a different token should be used for every page sent.

Comment on Re: Maintain Session without Cookies?

Replies are listed 'Best First'.
Re: Re: Maintain Session without Cookies? by moodster (Hermit) on Feb 22, 2002 at 12:19 UTC
Well, considering that the contents of the session cookie is sent to the server with each HTTP request, a cookie solution isn't that much secure anyway. If someone monitors your network traffic, hijacking the session is trivial no matter if you are using cookies or not. The only antidote is to connect through an encrypted channel. Granted, it's easy to cut&paste the URL and mail it to someone else, but if you're that eager to compromise your own security you could just as well edit the contents of `cookies.txt`. Cheers, --Moodster	[reply] [d/l]
Re: Re: Maintain Session without Cookies? by nop (Hermit) on Feb 23, 2002 at 15:50 UTC
If you embed session the URL, use some common sense: if a session shows no activity for 30 minutes, kill the session and start a new one. depending on your site, this may mean asking for a login, or it may mean just cutting a new session key. if a session comes in that is "inconsistent" (different browser type, different referrer, etc) with the last session request, kill the session. as merlyn says here, make the session key unguessable While these don't fix the problem completely (eg users coming in from AOL via the same AOL proxy machine might be able to swap sessions if they do it reasonably quickly), they go a long way to reduce it. nop	[reply]