Are there drawbacks to Cookieless Sessions

[Logician]

I am working with cookieless sessions and I cant see any disadvantages
especially if HTTP cookies are also used if the browser can support
them.

Several sites, eg groups.google.com require HTTP cookies and I am
unsure why that is.

Can anyone throw any light on this?

 

[Robbe Morris [C# MVP]]

They can be a security risk particularly if you allow posting
of links on your web site. If someone were to click one
of those links, that web site could retrieve the session id
from the HTTP_REFERER and use it to "take over"
an active session.

I have tested this myself and it is incredibly easy
to duplicate successfully.

 

[WJ]

I have tested this myself and it is incredibly easy to duplicate
successfully.

You may be able to avoid this so called "session hijack" by allowing only
one (1) location per sessionID (whoever gets on 1st will be considered
legit).

John

 

[S. Justin Gengo]

John,

But what identifies a single location? So many people are behind proxy
servers that one user may easily look like another. At work their are over
one thousand of us and to a website it looks like we're all at the exact
same address...

--
Sincerely,

S. Justin Gengo, MCP
Web Developer / Programmer

www.aboutfortunate.com

"Out of chaos comes order."
Nietzsche

 

[WJ]

John,

But what identifies a single location? So many people are behind proxy
servers that one user may easily look like another. At work their are over
one thousand of us and to a website it looks like we're all at the exact
same address...

I did say "may be" in the previous reply. In your case, it may not be
possible because your company my have NAT (?) or something similar to fake
or disguise the client IP. However, in my case, I know each client is
assigned a unique IP address by DHCP. In summary, as long as you can find a
unique identifier to identify who your clients are, it is not impossible to
implement.

John

 

[Logician]

They can be a security risk particularly if you allow posting
of links on your web site. If someone were to click one
of those links, that web site could retrieve the session id
from the HTTP_REFERER and use it to "take over"
an active session.

I have tested this myself and it is incredibly easy
to duplicate successfully.

I have read that Microsoft solutions are littered with security issues,
and maybe this is an example.

I do get a lot of complaints from my customers regarding my CPI link
(payment link to Barclaycard requiring Javascript at the EDPQ site),
and they complain it wont work due to firewalls.

The figure for me is about 10-20% of customers. I contacted Barclaycard
and I was told:"If you dont like it, write your own software - this is
the MPI service also offered."

I see a lot of websites making strong assumptions about client systems,
which are not valid in many cases. I find it incredible that large
companies will ignore so many Web visitors by coding for only certain
client systems.

I was trying to find a solution to handle all clients.

 

[S. Justin Gengo]

John,

Ok, I agree, if the situation warrants it that may be a solution. I wasn't
trying to say you're idea was a bad one. I just wanted logician to know the
possible ramifications if the site being worked on is public...

--
Sincerely,

S. Justin Gengo, MCP
Web Developer / Programmer

www.aboutfortunate.com

"Out of chaos comes order."
Nietzsche