Simon,
That makes sense. I can see why cookies aren't the best option in your
case.
As a work-around, have you considered using Prism? It won't be as
clean as tabbed browsing, but you will at least get the session
isolation you need.
Andrew
On Jun 18, 2008, at 12:22 PM, Simon Kitching <[EMAIL PROTECTED]> wrote:
Hi Andrew,
Many thanks for the quick answer.
Yes I did mean encoding the session id in the url
("http://host/foo.jsp;jsessionid=123?page=Main";).
We want to disable cookies in our dev environment so that we can log
into the same app multiple times from the same browser; this makes
testing some things a lot easier. Firefox shares cookies between
windows
unless you go to a lot of effort (setting up separate profiles). Note
that in the setup here, there is a large existing webapp with an
embedded jspwiki engine to serve the help pages; disabling a dev/test
feature in order to support the (small) help engine feature hasn't
been
terribly popular.
I'm working on enabling this in JSPWiki anyway, but won't bother
submitting the patches here.
By the way, I don't see cookies as a lot more secure. The cookie
text is
also sent in plain text in both the request and response bodies. There
aren't many cases where someone can intercept the url but not the
cookies. But thanks for the reference to OWASP; I'll have a look at
what
they say about that.
Regards,
Simon
Andrew Jaquith schrieb:
Putting the session ID in the URL (which is I think what you are
asking about) is a fairly severe security risk. Cloning the session
becomes trivial if the URL is obtained.
I know that in certain locales (Germany, for example), it is believed
that cookies represent an invasion of privacy. But, perversely,
banning cookies actually decreases the overall level security for
webapps because the session ID is now exposed in the URL. For this
reason, the practice of adding session IDs to webapp URLs has always
been discouraged by best-practice organizations such as OWASP.
Janne's comment from 2006, I expect, still holds. We would encourage
anyone who wishes to eliminate cookies -- in spite of best-practice
advice from the security community -- to write their own patches. But
it is extremely unlikely that JSPWiki will ever incorporate a "no
cookie" (URL rewriting) feature.
Andrew
On Jun 18, 2008, at 10:20 AM, Simon Kitching wrote:
Hi,
This email from 2006 says that "url rewriting" (ie having sessions
without cookies) is not supported by JSPWiki. Is this still true for
later releases?
http://www.nabble.com/URL-Rewriting-to6040752.html#a6042004
Thanks,
Simon
