Session management using JsessionId vs using cookies or URL rewriting

ishan.shrivastava Feb 2, 2016 3:00 AM

Dear Team,

In a security Audit we have been asked that "This application contains a session token in the query parameters. A session token is sensitive information and should not be stored in the URL. URLs could be logged or leaked via the Referrer header"

We are using session management using jsessionId. But we have been asked to maintain the session should be maintained using cookies (or hidden input fields). As per my understanding, JsessionID is nothing but cookie only.

Please provide your confirmation that using JsessionID is similar to cookies only or let me know if we should go for session management using cookies.

TIA,

1. Re: Session management using JsessionId vs using cookies or URL rewriting

siplo Feb 2, 2016 3:04 PM (in response to ishan.shrivastava)

Hi,

JSESSIONID according specification is cookie. If client support cookies session id will be handled this way. If client doesn't support cookies it must be use url rewriting mechanism which add jssessionid to every link in application. BUT you can change behavior of your app. server how it will be handled. It means you can disable using cookies for example. If I remember correctly JB5 uses tomcat as servelt container. Tomcat can control this behavior via context.xml.

About security. If it is possible use https instead of http. And yes sessionID in url is not best practice.
I hope this will help.
Actions