«

My research to this point indicates that cookieless sessions have two
main drawbacks:
1.) Absolute paths cannot be used without a workaround for the session
id storage in the URL.

2.) A security hole is opened due to the visibility of the session id
in the URL.

Are there any other draw backs?

Number 2 is my main concern. To overcome the security risk with
cookieless sessions, couldn't I simply track the initial IP of the
client, and verify that against all requests? That way, if someone on
another box tried to spoof the session, I would be able to kick them
out due to the IP difference.

Thoughts? Other possible solutions to the security risk with cookieless
sessions?

IP tracking is not reliable - proxies and routers can change the source IP
- even while working with the application.

You have to live with that problem.

---
Dominick Baier, DevelopMentor
http://www.leastprivilege.com

> My research to this point indicates that cookieless sessions have two
> main drawbacks:
> 1.) Absolute paths cannot be used without a workaround for the session
> id storage in the URL.
> 2.) A security hole is opened due to the visibility of the session id
> in the URL.
>
> Are there any other draw backs?
>
> Number 2 is my main concern. To overcome the security risk with
> cookieless sessions, couldn't I simply track the initial IP of the
> client, and verify that against all requests? That way, if someone on
> another box tried to spoof the session, I would be able to kick them
> out due to the IP difference.
>
> Thoughts? Other possible solutions to the security risk with
> cookieless sessions?
>

Thanks for the quick reply.

Some suggest that SSL is the cure all for cookieless sessions. I did
not want to due this initially, but if will allow the secure use of
cookieless sessions, it may be the only option. What are your thoughts?
Does SSL close the security gaps opened by cookieless sessions, or at
least make them as secure as sessions with cookies?

Here is another thought: are sessions with cookies really that much
more secure than cookieless sessions? If someone knows how to obtain
your URL from a remote location, that same person can probably spoof
your cookie.

You always have to use SSL if you care about the data on the wire!

If someone can sniff your connection (no SSL) - there is no difference between
cookies and cookieless security-wise.

Cookie-less have different (additional) problems:

- session fixation (someone sends you a link with a pre-generated session)
- user copy&paste session URL and send them e.g. via mail
- id is visible in browser (screenshots etc.)

---
Dominick Baier, DevelopMentor
http://www.leastprivilege.com

> Thanks for the quick reply.
>
> Some suggest that SSL is the cure all for cookieless sessions. I did
> not want to due this initially, but if will allow the secure use of
> cookieless sessions, it may be the only option. What are your
> thoughts? Does SSL close the security gaps opened by cookieless
> sessions, or at least make them as secure as sessions with cookies?
>
> Here is another thought: are sessions with cookies really that much
> more secure than cookieless sessions? If someone knows how to obtain
> your URL from a remote location, that same person can probably spoof
> your cookie.
>