[Owasp-gibraltar] Owasp-gibraltar Digest, Vol 4, Issue 1

Daniele Costa daniele at iteam5.net
Mon Aug 5 10:30:32 UTC 2013


Hi Piotr,

from a security point of view the problem of using session id in URL is
that these values are normally stored in the browser history, web servers
logs and intermediate proxies (when no HTTPS is in place).
If the session ID are used to identify users (e.g. to maintain an
authenticated session) then using them as one of the URL parameters is not
recommended.

However if these are not including data to identify users and are just
necessary to track the payment frame then I don't see a problem using them
within a URL rather than a cookie.
However you should thoroughly test the process generating the session ID
values to ensure that this cannot be manipulated by malicious attackers.

In regards to your other question about activities in summer...maybe we
could organize a new meeting in September?
Tanya is the best person to answer this question though :-)

Kind Regards,
Daniele Costa






On Sun, Aug 4, 2013 at 1:00 PM, <owasp-gibraltar-request at lists.owasp.org>wrote:

> Send Owasp-gibraltar mailing list submissions to
>         owasp-gibraltar at lists.owasp.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.owasp.org/mailman/listinfo/owasp-gibraltar
> or, via email, send a message with subject or body 'help' to
>         owasp-gibraltar-request at lists.owasp.org
>
> You can reach the person managing the list at
>         owasp-gibraltar-owner at lists.owasp.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Owasp-gibraltar digest..."
>
>
> Today's Topics:
>
>    1. Re: Next Chapter Meeting - June/July? (Piotr Tomaszewski)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 2 Aug 2013 11:16:28 +0200
> From: Piotr Tomaszewski <piotr.tomaszewski at intelligentpayments.co.uk>
> To: owasp-gibraltar at lists.owasp.org
> Cc: Marcin Zduniak <marcin.zduniak at intelligentpayments.co.uk>
> Subject: Re: [Owasp-gibraltar] Next Chapter Meeting - June/July?
> Message-ID:
>         <
> CACUt7-EBV+7MsydTr6ieQ3rbzr9JyrjPLwKkG4MKXhK7fOPWkA at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Dear All,
>
> just wondering - is there any activity planned for the summer? Anyway,
> there's one question I would like to raise, maybe you guys have already
> faced the problem before:
>
> With the advent of Safari and (soon) Firefox blocking of third-parties
> cookies, we had a lot of complaints about the sessions being lost. We do
> appear to be a third-party, as our web cashier is usually embedded in a
> HTML frame, and for some of the merchants asking a user to fiddle with
> browser settings is unacceptable. There are strong reasons to keep it this
> way, so we decided to reach for the almost-obsolete URL tokens to maintain
> sessions. Although we are quite sure it is not all that very different from
> cookie-based sessions, I would really appreciate any insights on this you
> might have.
>
> The OWASP site says: *"Effectively, the web application can use both
> mechanisms, cookies or URL parameters, or even switch from one to the other
> (automatic URL rewriting) if certain conditions are met (for example, the
> existence of web clients without cookies support or when cookies are not
> accepted due to user privacy concerns)."*
> *
>
> https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Built-in_Session_Management_Implementations
> *
> *
> *
> Best regards,
>
> Piotr
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.owasp.org/pipermail/owasp-gibraltar/attachments/20130802/10f8bc2c/attachment-0001.html
> >
>
> ------------------------------
>
> _______________________________________________
> Owasp-gibraltar mailing list
> Owasp-gibraltar at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-gibraltar
>
>
> End of Owasp-gibraltar Digest, Vol 4, Issue 1
> *********************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-gibraltar/attachments/20130805/2dd0c881/attachment.html>


More information about the Owasp-gibraltar mailing list