Lloyd Chambers wrote:
> I had sent the email below earlier today. Note that it includes
> jsessionid encoded in the URL.
>
> Now in this case, there is nothing particularly sensitive about
> opensolaris.org.
>
> But what are the security ramifications of a web site including
> jsessionid in the URL itself like this? Would this allow someone to
> hijack the session if the URL could be observed (or simply emailed as
> I've done).
Yes, that would be a problem.
If you want to protect your JSESSIONID, use cookies and HTTPS. When a
session is first created from an HTTPS request, and cookies are
enabled, the JSESSIONID will be returned in a cookie that is marked as
"secure", causing the browser to never include this cookie with any HTTP,
but only with HTTPS requests.
Jan