Transmitting Session IDs

By Paladion

July 15, 2005

What is the best method for transmitting session IDs?

  1. Sending the session ID in plain text in the URL.
  2. Sending hashed session ID in the URL.
  3. Sending the session ID as a hidden value in the form.
  4. Embed the session ID in the Cookie.

The best answer to the quiz is (4) Embed the session ID in the Cookie.

Session IDs are used by a web site to track a user's session as he/she browses the web site. Attackers often try to hijack a session by guessing a user's session ID. The attacker can then use this stolen session ID to masquerade as the user. This can be pretty harmful if the user is doing financial transactions via the internet. Session IDs are often sent to the user as part of the URL. Eg:

This method (Option 1) has its disadvantages. Since the session ID is part of the URL, it is easy to modify the URL and the standard session ID from the browser itself. Also the session being part of the URL is also stored in the browser history. Hence the number of attacks resulting from this method is very high.

To avoid easy manipulation of the session IDs, a hash value can be formed with the combination of the session ID and any client specific information, such as the source address. Eg: the hash for the session ID 'bHNrZGpmbHNramR;' will be 6d1d2a2ba48656afad2da6a9f3ac047d.

To authenticate a user the server has to retrieve the user's IP address and the session ID and then compare the hashed value to the hash value stored in the database (Option 2). The disadvantage is, the server has to generate hashes for each request and this generates a significant amount of CPU overhead on the server. Also, in this specfic example, if the end user is using a proxy server, the IP address will not be unique to a particular user.

Another method is to send a session ID as hidden form fields (Option 3). By sending the session ID in hidden form fields, it becomes slightly difficult for the attacker to get the session id. But the attacker can get the session ID by using a personal web proxies such as Achilles. The attacker can paste the stolen session ID in the URL and send a GET request to the server. If the server does not block the GET requests for the particular form, then this particular request can bypass this protection easily. The biggest disadvantage of this method -- It cannot be used on normal pages without forms. To include hidden form fields, complex javascript has to be introduced on the page to send POST requests.

The best method to send a session ID is to embed the session ID in a cookie. Upon first request, a random session ID is created which can be sent through a cookie to the client's browser. This cookie should be set a suitable timeout so that the cookie expires within a certain period of inactivity. Upon every request, this stored cookie is sent along with the request. The server uses the information stored in the cookie to authenticate the user. But, since some user might disable the use of cookies on their browsers, it must be warned to the end user that the site needs the use of cookies for the sake of security.

Tags: Quiz