Win a copy of Think Java: How to Think Like a Computer Scientist this week in the Java in General forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Session key as a hidden field in a html form

 
Edward Chen
Ranch Hand
Posts: 798
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If we set Session key as a hidden field in a html form, it will generate a big security hole ? it will cause session hijack ?

Thanks.
 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 34372
345
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Edward,
It's not a bigger security hole than having it in the URL. If you are dealing with credit card numbers and the like, you need HTTPS though.

Nothing causes a session hijack. You mean are you vulnerable to one. If someone has a packet sniffer and is intercepting the traffic, they can hijack any HTTP session because it's not encrypted like HTTPS is. They can intercept cookies. URLs and content.
 
Pat Farrell
Rancher
Posts: 4678
7
Linux Mac OS X VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Edward Chen wrote:If we set Session key as a hidden field in a html form, it will generate a big security hole ? it will cause session hijack ?


Yes, its a huge hole.

Rule #1: never trust any data from the client's Browser.

You may think its a browser, but it could be a bad guy's program pretending to be a browser.
 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 34372
345
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Pat,
Why is it worse than a JSESSIONID in the URL? That's certainly vulnerable to session hijacking of course.
 
Ravi Sree
Ranch Hand
Posts: 64
Java MySQL Database PHP
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Jeanne Boyarsky wrote:Pat,
Why is it worse than a JSESSIONID in the URL? That's certainly vulnerable to session hijacking of course.


Hi pal,
I think that sessionId either in url or in hidden field, both are vunerable to attacks....
because if this id gets in the hands of a hacker they can impersonate a victim by getting a victim to follow a session-encoded url to ones site. and if the victim is logged in, and the hacker is logged in as well, then he can have access to confidential information...
I'm new to a forum, if i may sound foolish, please guide me...

Thanks
 
Pat Farrell
Rancher
Posts: 4678
7
Linux Mac OS X VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Jeanne Boyarsky wrote:Why is it worse than a JSESSIONID in the URL? That's certainly vulnerable to session hijacking of course.


I'm not sure it is worse. Trusting anything from the client is dangerous.

session ids and nonces tend to work, as it is hard for the bad guy to change it and pick another legal value.
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64824
86
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
"The LuckyMe", please check your private messages for an important administrative matter.
 
It is sorta covered in the JavaRanch Style Guide.
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic