Session ID in URL Rewrite
ID |
session_id_in_url_rewrite |
Severity |
high |
Kind |
Session Management |
CWE |
598 |
Description
-
Session ID in URL Rewrite: URL rewrite is used to track user session ID. The session ID may be disclosed via cross-site referer header. In addition, the session ID might be stored in browser history or server logs.
-
Session ID in URL Rewrite: URL rewrite is used to track user session ID. The session ID may be disclosed via cross-site referer header. In addition, the session ID might be stored in browser history or server logs.
-
Referer Exposes Session ID: A hyperlink pointing to another host name was found. As session ID URL rewrite is used, it may be disclosed in referer header to external hosts.
Rationale
Session IDs in URLs are exposed through multiple vectors including browser history, server logs, referer headers, and shoulder surfing. An attacker who gains access to browser history, intercepts referer headers sent to third-party sites, or views server access logs can extract valid session IDs and hijack user sessions. URLs are also frequently shared via screenshots, bookmarks, or email, unintentionally leaking authentication credentials to unauthorized parties.
Remediation
Store session identifiers exclusively in secure HTTP-only cookies with the Secure and SameSite attributes set. Configure the application to use cookie-based session management instead of URL rewriting. If URL parameters are required for state management, use non-sensitive tokens that reference server-side session data rather than embedding session IDs directly in URLs.