This week's giveaway is in the Android forum.
We're giving away four copies of Android Security Essentials Live Lessons and have Godfrey Nolan on-line!
See this thread for details.
The moose likes Servlets and the fly likes Session key as a hidden field in a html form Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Session key as a hidden field in a html form" Watch "Session key as a hidden field in a html form" New topic
Author

Session key as a hidden field in a html form

Edward Chen
Ranch Hand

Joined: Dec 23, 2003
Posts: 798
If we set Session key as a hidden field in a html form, it will generate a big security hole ? it will cause session hijack ?

Thanks.
Jeanne Boyarsky
internet detective
Marshal

Joined: May 26, 2003
Posts: 30138
    
150

Edward,
It's not a bigger security hole than having it in the URL. If you are dealing with credit card numbers and the like, you need HTTPS though.

Nothing causes a session hijack. You mean are you vulnerable to one. If someone has a packet sniffer and is intercepting the traffic, they can hijack any HTTP session because it's not encrypted like HTTPS is. They can intercept cookies. URLs and content.


[Blog] [JavaRanch FAQ] [How To Ask Questions The Smart Way] [Book Promos]
Blogging on Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, OCAJP, OCPJP beta, TOGAF part 1 and part 2
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4646
    
    5

Edward Chen wrote:If we set Session key as a hidden field in a html form, it will generate a big security hole ? it will cause session hijack ?


Yes, its a huge hole.

Rule #1: never trust any data from the client's Browser.

You may think its a browser, but it could be a bad guy's program pretending to be a browser.
Jeanne Boyarsky
internet detective
Marshal

Joined: May 26, 2003
Posts: 30138
    
150

Pat,
Why is it worse than a JSESSIONID in the URL? That's certainly vulnerable to session hijacking of course.
Ravi Sree
Ranch Hand

Joined: Jan 24, 2010
Posts: 62

Jeanne Boyarsky wrote:Pat,
Why is it worse than a JSESSIONID in the URL? That's certainly vulnerable to session hijacking of course.


Hi pal,
I think that sessionId either in url or in hidden field, both are vunerable to attacks....
because if this id gets in the hands of a hacker they can impersonate a victim by getting a victim to follow a session-encoded url to ones site. and if the victim is logged in, and the hacker is logged in as well, then he can have access to confidential information...
I'm new to a forum, if i may sound foolish, please guide me...

Thanks
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4646
    
    5

Jeanne Boyarsky wrote:Why is it worse than a JSESSIONID in the URL? That's certainly vulnerable to session hijacking of course.


I'm not sure it is worse. Trusting anything from the client is dangerous.

session ids and nonces tend to work, as it is hard for the bad guy to change it and pick another legal value.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60817
    
  65

"The LuckyMe", please check your private messages for an important administrative matter.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
 
subject: Session key as a hidden field in a html form
 
Similar Threads
request.setAttribute and getAttribute problem
Assigning Key Values to Multiple Submit Buttons
Database Ids and Forms
textfield disabled---value not sent to form bean
Two requests in one doPost method, can this happen? Please I need help