This article discusses URL- and cookie-based session management issues, implications, and considerations.
By default, the xMatters web user interface uses URL-based session management. However, after installing the xMatters web server, you can switch to cookie-based session management as an alternative (for details, refer to the xMatters installation and administration guide).
For example, assume that someone with the ability to see confidential data sends the URL of a non-confidential web page via instant messenger to another person. If the URL includes the "jsessionid" request parameter, the recipient of the URL will have the ability to browse as if they had logged in as the sender of the URL (i.e., the recipient will be able to see all the confidential data by clicking on links). Note that even if a user is generally aware of the security risk, he or she might inadvertently copy and paste a URL from the address bar into an email, IM window, etc.
Cookie-based session management prevents session 'stealing' from occurring. By storing the session ID in a cookie, a session stays local to a user's computer and any URL that is passed will not allow the recipient to appropriate the rights of the sender.
Generally, turning on cookies is more secure if an organization allows their use. When an organization's IT department has control over users' browser configurations, it can opt to turn on cookies only for the xMatters web site (note that it is much less effective to rely on users to maintain the appropriate browser settings).
JDN-1233 Originally created by Don Clark