[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: mailmam, web bridge, forum, p2p

From: Mike Gerwitz
Subject: Re: mailmam, web bridge, forum, p2p
Date: Sun, 27 Oct 2019 01:32:54 -0400
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux)

On Sun, Oct 27, 2019 at 00:50:17 -0400, Mike Gerwitz wrote:
> On Sat, Oct 26, 2019 at 09:48:37 +0200, address@hidden wrote:
>>> Passing session tokens via GET requests is a bad idea, because that
>>> leaks the token.
>> Even in https?


> Back in what feels like a previous lifetime by now, I used to do a lot
> of work with phpBB2, which had an option to either store sessions in
> cookies or place PHPSESSID in the URL.  It modified every link to
> include a session id.  It tried to mitigate the issue by checking the
> source IP address, but if you were logged on the same network (e.g. in
> the same place of employment; school; library; etc), then sharing a link
> would lead to session hijacking.

Since I was in the mindset of leaking information, I forgot to mention
another negative side-effect of including tokens as query strings: it
can turn link sharing into a weapon using session fixation.  E.g. I
could create an account, send a link to you with my session token, and
you may then be logged into my account.  The user may then perform an
action that may benefit the attacker (or the action could be part of the

This is sometimes used as a poor-man's SSO. :x  It can also work with
POSTs: direct the user to an auto-submitting form.

Cookies are better suited for storing session tokens---you cannot set
cookie values for other domains without some other type of exploit
(e.g. XSS, but your cookies best be set to HTTP-only to mitigate that).

Mike Gerwitz

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]