0

I noticed that servlets encode the session data to the URL (visible) when cookies are disabled. Doesn't this open the possibilities for attacks when someone is snooping on the traffic in the network ? Also, why isn't it added to data part and sent as a post request, so that https can be used to provide the security ?

I'm currently creating a session when the log in is successful and am storing the user id in the session and the combination of the user id and session id in the db. For every action, i'm validating the session id and user id and session id provided to the one stored in the db. Is this a correct approach ?

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
user3388324
  • 572
  • 5
  • 18

1 Answers1

0

It doesn't matter if session id is in cookie or in URL. If someone views network traffic he can get the id in both situations.

If you want to protect the session id, https is the only way.

And https protects the URL also.

George
  • 467
  • 3
  • 3
  • I have added my approach to the question. How do I secure the login information ? – user3388324 May 16 '14 at 06:29
  • You have to be more specific. What do you mean by secure? In general, https is used for login credentials. You can check [this](https://www.owasp.org/index.php/Session_Management_Cheat_Sheet) if you are interested in session management. – George May 19 '14 at 09:22