Nothing interferes. You get the session ID, you can participate in the session.
In the normal case of cookies, this is not a risk. An attacker should not read a user's session cookie if:
they have the possibility of a man in the middle, in which case you have much worse problems than just session identifiers;
You left a hole for scripting with multiple sites, in which case you have a much worse problem than just the session identifiers;
You are vulnerable to DNS polarity reversal / cross-domain cooking attacks, in which case you should fix this by allowing only known Host: queries.
(Although you may try to associate sessions with IP addresses, this risks breaking valid sessions due to, for example, circular proxies. IP addresses can be used as part of a broader strategy for detecting suspicious activity, but on the public Internet it is not a good idea to always require that every request in a session come from the same IP address.)
Unfortunately, there is another case in Servlet besides cookies: jsessionid= . Since they appear in the URL itself, this makes them much more leaky (for example, through referrers and inserted links). And this is far from the only practical problem with parameter session identifiers. They ruin the navigation and destroy SEO.
In my opinion, jsessionid= URLs is one of Servlet's earliest early errors, a discredited cookie return strategy that should not be used for anything. But, of course, they are not allowed to provide access to any privileged data; consider using HTTP Basic Authentication if you need a backup mechanism for browsers that do not support cookies.
In Servlet 3.0, you can easily disable the jsessionid= URL using <session-config> in web.xml ; unfortunately, in previous versions you are left to reset filters if you want to disable this function correctly.
bobince
source share