Beware of URL rewriting

Sessions can be implemented with two underlying mechanisms -- cookies and URL rewriting. URL rewriting involves placing a session id in the URL, as in
http://www.javapractices.com/topic/TopicAction.do;jsessionid=863F3D316?Id=191
According to the Open Web App Security Project, URL rewriting has significant security risks. The general idea is that since the session id appears in the URL, it may be easily seen by third parties: Third-party access to session id's simply means that private user information is wide open to attack. Thus, many argue that URL rewriting is a dangerous practice, and should be avoided. If cookies are used instead, then the session id does not appear in the URL.

It's possible that some web sites may use cookies to track user browsing patterns. As a result, some users turn off cookies in an attempt to protect their privacy. However, given the seriousness of the above security issue, many would argue that turning off cookies is actually much worse for user privacy. That is, the risk of compromising personal data through session hijacking seems to far outweigh concerns about tracking personal browsing patterns.

Options for managing URL rewriting include :

In the case of public web sites, you will need to decide if requiring browsers to keep cookies enabled is acceptable in each case.

See Also :
Emit flexible URLs
Always maintain HttpSessions
Manage sessions closely
Would you use this technique?
Yes   No   Undecided   
© 2014 Hirondelle Systems | Source Code | Contact | License | RSS
Individual code snippets can be used under this BSD license - Last updated on September 21, 2013.
Over 2,000,000 unique IPs last year - Built with WEB4J.
- In Memoriam : Bill Dirani -