Session ID in URL
Description
The application transmits session identifiers as URL query parameters instead of using secure methods like HTTP-only cookies. Session tokens are sensitive credentials that authenticate users to the application. When embedded in URLs, these tokens can be exposed through browser history, server logs, proxy logs, and HTTP Referer headers when users navigate to external sites, creating multiple avenues for session hijacking.
Remediation
Migrate session management to use HTTP-only, Secure cookies instead of URL parameters. Implement the following changes:
1. Configure session cookies with security flags:
// Example for Java Servlet
Cookie sessionCookie = new Cookie("JSESSIONID", sessionId);
sessionCookie.setHttpOnly(true);
sessionCookie.setSecure(true);
sessionCookie.setPath("/");
response.addCookie(sessionCookie);2. Remove session tokens from all URL parameters - Refactor code to eliminate session IDs from query strings and path parameters.
3. Set appropriate cookie attributes: Use the
SameSite attribute to prevent CSRF attacks and ensure cookies are only transmitted over HTTPS in production by setting the Secure flag.4. Validate existing sessions: Implement server-side session validation and regenerate session IDs after authentication to prevent session fixation attacks.
5. Review and sanitize logs: Ensure that any historical logs containing session tokens are purged or redacted to prevent retrospective exploitation.