What is the vulnerability of having Jsessionid only on first request

Question

What is the vulnerability of having Jsessionid only on first request

We recently removed jsessionid from the URL using cookie-based session management to prevent a “session capture attack”

But we found that the first request URL always has jsessionid when cookies are enabled, and there is no jsessionid for the subsequent request URL.

using jsessionid from the first url, we could directly click on other pages in the workflow

Question: is there any security vulnerability that displays jsessionid only on the first request?

There is a solution to remove jsessionid from the first request, but it needs to check if it is really vulnerable to change mandate

thanks J

EDIT: I understood my doubts. Thanks for answers.

+3

security jsessionid

Jenga blocks Jan 18 '11 at 8:57

source share

3 answers

Rry McCune · Answer 1 · 2011-01-18T13:49:57+0000

What you have done here may slightly improve the overall security of the solution, but it does not necessarily prevent session hijacking.

The security problem when placing the session ID in the URL is that the URLs are displayed in different places (for example, copies and pasted URLs can expose a live session, URLs can be stored in proxy logs, web logs -servers and browser history), which can allow an attacker to capture a valid session identifier and gain access to your user data.

Ideally, you should remove the JSESSIONID from the URL in all places and use the cookie store.

In addition, if you want to smooth out session capture, a number of other areas will be covered there.

SSL , ( , (, Firesheep).

, , .

, , cookie HTTPOnly , .

OWASP

, , Security.stackexchange.com

m.edmondson · Answer 2 · 2011-01-18T09:03:13+0000

cookie, " "

, ?

- . ( cookie), .

, , , , , .

ismail · Answer 3 · 2011-01-18T09:06:32+0000

- , , . " " .

What is the vulnerability of having Jsessionid only on first request

More articles: