cocoon-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sonny Sukumar" <>
Subject Need Session Help!
Date Wed, 24 Sep 2003 22:27:14 GMT

Hi guys,

I know I've brought up some session questions before, and I gained great 
insight from those discussions, but there's some issues I want to understand 
better before I make implementation decisions.  Assume the context of a B2C 
e-commerce site when considering these issues....

---Assume URL encoding is being used because a customer has all cookies 

1.) Customer puts a few items in her shopping cart.
2.) Customer logs in to view some account details.
3.) Customer then sees her friend on IM and copies a product page URL to her
friend.  This URL contains her session ID.
4.) The friend clicks on the link and views the product page.  However, she
now can click on "My Account" or whatever or "My Cart", and because she'll
appear to be the first customer (she has the same session ID), she can view
all the personal details she shouldn't be able to.

What's the best way to go here?  I'm thinking that if
A.) a given page allows URL encoding to be used and
B.) it contains *any* sensitive info that shouldn't be seen even if the URL 
copied and
C.) even if the customer is already logged in

then the customer should have to log in to see that page every time that 
is requested.  This seems like a hard policy to implement though (and 
for the customer), and I don't see any support for it in the Auth Framework.
After all, if you have the session ID and the "authentication" context is in
the session, then you're considered logged in.  And with URL encoding,
anybody could go and view your account details.

So I don't like URL encoding. :-) However, I'm worried about losing 
who don't have cookies turned on and I notice that most major e-commerce
sites allow URL encoding.  What would you do?

--Should I ever allow URL encoding during the secure checkout process?

In theory it seems like if I'm storing a super sensitive piece of data like 
credit card number in the session, then I wouldn't want the session ID being
so visible as it is when in the URL textbox at the top of the browser 

URLs are also often stored in web server logs and other places, and if it
contains the session ID this can spell trouble because there's a "window of
vulnerability".  Our session timeout is set to 4 hours, so that's 4 hours
during which somebody could access that sensitive info.

On the other hand, if pages coming before the checkout allow URL encoding 
the checkout process doesn't, then that gives the impression that the site
will always work even with session cookies turned off.  Then the customer
finally finds what she wants, puts it in her cart, and heads to
checkout--only to find that she needs to have cookies enabled!  I'm not sure
that's the best way to go, although it can be argued from a security
perspective (but customers are emotional and won't consider
technical/security aspects for a second).

--If URL encoding was being used on a previous page, and then now (say 5
minutes later, or sometime later that still comes before the session times
out) session cookies are enabled, would it still be possible to use the
previously encoded session ID to access the session?  Or would Tomcat 
that session ID key as soon as it recognizes it can use cookies?

For example, if my encoded session ID was "ABCD" (just an example!), and now 
turn on cookies so the next page I request has no more encoded session ID,
can I still somehow use that session ID to access the session?

My guess is no, but I thought I'd ask.

--I'm also pretty sure about this, but I thought I'd ask this too... :-)

Just because somebody gets ahold of the session ID, there's no possible way
for them to *actually* access the session is there?  I mean, they'd have to
rely on requesting a page that happens to hand over that sensitive info
stored in the session, right?

Again, I'm fairly sure they can't actually fetch the Java objects, or even
read the bytes out of server memory, but it's almost a moot point since 
are always going to exist to serve up that info.  Otherwise the info 
be stored in the session in the first place. :-/

Thanks for your help and insights,


Instant message with integrated webcam using MSN Messenger 6.0. Try it now 

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message