aspose file tools*
The moose likes Servlets and the fly likes Session key as a hidden field in a html form Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "Session key as a hidden field in a html form" Watch "Session key as a hidden field in a html form" New topic
Author

Session key as a hidden field in a html form

Edward Chen
Ranch Hand

Joined: Dec 23, 2003
Posts: 798
If we set Session key as a hidden field in a html form, it will generate a big security hole ? it will cause session hijack ?

Thanks.
Jeanne Boyarsky
internet detective
Marshal

Joined: May 26, 2003
Posts: 29249
    
139

Edward,
It's not a bigger security hole than having it in the URL. If you are dealing with credit card numbers and the like, you need HTTPS though.

Nothing causes a session hijack. You mean are you vulnerable to one. If someone has a packet sniffer and is intercepting the traffic, they can hijack any HTTP session because it's not encrypted like HTTPS is. They can intercept cookies. URLs and content.


[Blog] [JavaRanch FAQ] [How To Ask Questions The Smart Way] [Book Promos]
Blogging on Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, OCAJP, OCPJP beta, TOGAF part 1 and part 2
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4637
    
    5

Edward Chen wrote:If we set Session key as a hidden field in a html form, it will generate a big security hole ? it will cause session hijack ?


Yes, its a huge hole.

Rule #1: never trust any data from the client's Browser.

You may think its a browser, but it could be a bad guy's program pretending to be a browser.
Jeanne Boyarsky
internet detective
Marshal

Joined: May 26, 2003
Posts: 29249
    
139

Pat,
Why is it worse than a JSESSIONID in the URL? That's certainly vulnerable to session hijacking of course.
Ravi Sree
Ranch Hand

Joined: Jan 24, 2010
Posts: 62

Jeanne Boyarsky wrote:Pat,
Why is it worse than a JSESSIONID in the URL? That's certainly vulnerable to session hijacking of course.


Hi pal,
I think that sessionId either in url or in hidden field, both are vunerable to attacks....
because if this id gets in the hands of a hacker they can impersonate a victim by getting a victim to follow a session-encoded url to ones site. and if the victim is logged in, and the hacker is logged in as well, then he can have access to confidential information...
I'm new to a forum, if i may sound foolish, please guide me...

Thanks
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4637
    
    5

Jeanne Boyarsky wrote:Why is it worse than a JSESSIONID in the URL? That's certainly vulnerable to session hijacking of course.


I'm not sure it is worse. Trusting anything from the client is dangerous.

session ids and nonces tend to work, as it is hard for the bad guy to change it and pick another legal value.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60056
    
  65

"The LuckyMe", please check your private messages for an important administrative matter.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Session key as a hidden field in a html form
 
Similar Threads
Two requests in one doPost method, can this happen? Please I need help
textfield disabled---value not sent to form bean
request.setAttribute and getAttribute problem
Assigning Key Values to Multiple Submit Buttons
Database Ids and Forms