It's not a bigger security hole than having it in the URL. If you are dealing with credit card numbers and the like, you need HTTPS though.
Nothing causes a session hijack. You mean are you vulnerable to one. If someone has a packet sniffer and is intercepting the traffic, they can hijack any HTTP session because it's not encrypted like HTTPS is. They can intercept cookies. URLs and content.
Edward Chen wrote:If we set Session key as a hidden field in a html form, it will generate a big security hole ? it will cause session hijack ?
Yes, its a huge hole.
Rule #1: never trust any data from the client's Browser.
You may think its a browser, but it could be a bad guy's program pretending to be a browser.
Jeanne Boyarsky wrote:Pat,
Why is it worse than a JSESSIONID in the URL? That's certainly vulnerable to session hijacking of course.
I think that sessionId either in url or in hidden field, both are vunerable to attacks....
because if this id gets in the hands of a hacker they can impersonate a victim by getting a victim to follow a session-encoded url to ones site. and if the victim is logged in, and the hacker is logged in as well, then he can have access to confidential information...
I'm new to a forum, if i may sound foolish, please guide me...
Jeanne Boyarsky wrote:Why is it worse than a JSESSIONID in the URL? That's certainly vulnerable to session hijacking of course.
I'm not sure it is worse. Trusting anything from the client is dangerous.
session ids and nonces tend to work, as it is hard for the bad guy to change it and pick another legal value.