Transmitting Session IDs
What is the best method for transmitting session IDs?
- Sending the session ID in plain text in the URL.
- Sending hashed session ID in the URL.
- Sending the session ID as a hidden value in the form.
- Embed the session ID in the Cookie.
The best answer to the quiz is (4) Embed the session ID in the Cookie.
Session IDs are used by a web site to track a user’s session as he/she browses the web site. Attackers often try to hijack a session by guessing a user’s session ID. The attacker can then use this stolen session ID to masquerade as the user. This can be pretty harmful if the user is doing financial transactions via the internet. Session IDs are often sent to the user as part of the URL. Eg:
This method (Option 1) has its disadvantages. Since the session ID is part of the URL, it is easy to modify the URL and the standard session ID from the browser itself. Also the session being part of the URL is also stored in the browser history. Hence the number of attacks resulting from this method is very high.
To avoid easy manipulation of the session IDs, a hash value can be formed with the combination of the session ID and any client specific information, such as the source address. Eg: the hash for the session ID ‘bHNrZGpmbHNramR;126.96.36.199’ will be 6d1d2a2ba48656afad2da6a9f3ac047d.
To authenticate a user the server has to retrieve the user’s IP address and the session ID and then compare the hashed value to the hash value stored in the database (Option 2). The disadvantage is, the server has to generate hashes for each request and this generates a significant amount of CPU overhead on the server. Also, in this specfic example, if the end user is using a proxy server, the IP address will not be unique to a particular user.