Cookie-based session management considerations

This article discusses URL- and cookie-based session management issues, implications, and considerations.

Background

By default, the xMatters web user interface uses URL-based session management. However, after installing the xMatters web server, you can switch to cookie-based session management as an alternative (for details, refer to the xMatters installation and administration guide).

Discussion

Although cookies do not have security implications for xMatters Users, some organizations do not allow cookies on their users' browsers, due to concerns about the ability of a malicious web site (or set of sites) to track the pages a user is browsing. In contrast, other organizations require the use of cookies for session information because it prevents people from 'stealing' a session from another user by obtaining a URL from them.

For example, assume that someone with the ability to see confidential data sends the URL of a non-confidential web page via instant messenger to another person. If the URL includes the "jsessionid" request parameter, the recipient of the URL will have the ability to browse as if they had logged in as the sender of the URL (i.e., the recipient will be able to see all the confidential data by clicking on links). Note that even if a user is generally aware of the security risk, he or she might inadvertently copy and paste a URL from the address bar into an email, IM window, etc.

Cookie-based session management prevents session 'stealing' from occurring. By storing the session ID in a cookie, a session stays local to a user's computer and any URL that is passed will not allow the recipient to appropriate the rights of the sender.

Conclusion

Generally, turning on cookies is more secure if an organization allows their use. When an organization's IT department has control over users' browser configurations, it can opt to turn on cookies only for the xMatters web site (note that it is much less effective to rely on users to maintain the appropriate browser settings).

xMatters Reference

JDN-1233 Originally created by Don Clark

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk