Skip to main content

Avoid session ID leakages

Requirement#

The system must not expose session IDs in URLs and messages presented to the user.

Description#

Session IDs are sensitive information that may allow an attacker to steal, modify and/or destroy information once they obtain one. Information sent via URL parameters is:

  • stored in clear text in the browser history. sent to external sites via the referrer HTTP header.

  • sent to external sites via the search bar if the browser interprets the URL as a query.

  • visible to scripts running on the browser that may belong to third-parties.

Therefore, session IDs should not be sent via URL parameters, nor be displayed as messages presented to the user, nor stored in logs.

References#