The security risks caused by sessionid can be carried in the URL.

Many Web development languages allow users to carry sessionid in URLs to prevent browsers from disabling cookies. This is convenient, but may cause phishing security vulnerabilities.

 

Figure:

 It was cut out from the security report sent from the test group. The figure has some minor problems. I wanted to re-draw one and I didn't find a suitable picture in Visio. So we can only use others' diagrams.

 

Note:

Let's describe the steps in detail:

1. Hackers use their own account login, assuming the login page is: http://www.abc.com/login.jsp

2. The server returns that the logon is successful.

3. Hackers can view their sessionid from the cookie, for example, 1234.

4. the hacker sends the address with his sessionid to a general user. Http://www.abc.com/login.jsp;jsessionid=1234 (different languages with sessionid in different ways, with JSP)

5. the user logs on with his/her account at the address given by the hacker. The logon is successful. (At this time, the user login information will overwrite the hacker's previous login information, and two people use the same sessionid.) 6. on the hacker refresh page, the account information displayed is the user information, not the information of the hacker's own account.

 

Prevention and control:  

To prevent this problem, it is actually very easy. You only need to reset the session (Session. invalidate () method) when the user logs on, and then save the login information to the new session.

 

Background:  

Maybe you are the same as me. At the beginning, you can test whether phishing is successful by yourself. After my test, you can succeed. However, you need to pay attention to the following questions during the test:  

1. Pay attention to how your language includes sessionid in the URL. (I started to use an uppercase JSESSIONID in the URL during the test, resulting in no effect)    

2. Renewal required. For this problem, you may think that if the action in the login. jsp form is written to death rather than reading the current URL,   This phishing problem may not occur. This only protects against one direction. Hackers can make a page exactly the same as login. jsp (such as a http://www.abc1.com/login.jsp), and then send this address to a customer, and the form in this address can be written like this:  <Form action = "http://www.abc.com/login.jsp;jsessionid=1234 "....