Cookieless Sessions (Sessions Without Cookies) and Security

[scottymo]

My research to this point indicates that cookieless sessions have two
main drawbacks:
1.) Absolute paths cannot be used without a workaround for the session
id storage in the URL.

2.) A security hole is opened due to the visibility of the session id
in the URL.

Are there any other draw backs?

Number 2 is my main concern. To overcome the security risk with
cookieless sessions, couldn't I simply track the initial IP of the
client, and verify that against all requests? That way, if someone on
another box tried to spoof the session, I would be able to kick them
out due to the IP difference.

Thoughts? Other possible solutions to the security risk with cookieless
sessions?

 

[Dominick Baier]

IP tracking is not reliable - proxies and routers can change the source IP
- even while working with the application.

You have to live with that problem.

 

[scottymo]

Thanks for the quick reply.

Some suggest that SSL is the cure all for cookieless sessions. I did
not want to due this initially, but if will allow the secure use of
cookieless sessions, it may be the only option. What are your thoughts?
Does SSL close the security gaps opened by cookieless sessions, or at
least make them as secure as sessions with cookies?

Here is another thought: are sessions with cookies really that much
more secure than cookieless sessions? If someone knows how to obtain
your URL from a remote location, that same person can probably spoof
your cookie.

 

[Dominick Baier]

You always have to use SSL if you care about the data on the wire!

If someone can sniff your connection (no SSL) - there is no difference between
cookies and cookieless security-wise.

Cookie-less have different (additional) problems:

- session fixation (someone sends you a link with a pre-generated session)
- user copy&paste session URL and send them e.g. via mail
- id is visible in browser (screenshots etc.)