0

put session ID in a cookie

asked 2019-10-18 12:31:05 +0800

rukutuk gravatar image rukutuk
0

Dear all,

My application has been penetration test using owasp-zap-proxy-login, and there 1 finding :

Method GET Evidence jsessionid=D766C74F5887F7B16EDA11E165C5661B

URL http://..*.123/abc/zkau/web/eb3e6a52 /js/zk.wpd;jsessionid=D766C74F5887F7B16EDA11E165C5661B

Method GET Evidence jsessionid=D766C74F5887F7B16EDA11E165C5661B

Solution For secure content, put session ID in a cookie. To be even more secure consider using a combination of cookie and URL rewrite.


What should i do to cover this finding ?

Best Regards, Tata. K

delete flag offensive retag edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-10-21 10:57:41 +0800

cor3000 gravatar image cor3000
4887 2 7
ZK Team

updated 2019-10-21 10:59:32 +0800

the way session IDs are handled are configured at container level, ZK doesn't have a related configuration.

Please check your server's documentation, and apply the relevant/desired settings:

e.g. this post mentions how to disable URL rewriting (just use cookies - avoid adding the session ID in the URL) in tomcat: https://stackoverflow.com/a/962757/4740707

link publish delete flag offensive edit
Your answer
Please start posting your answer anonymously - your answer will be saved within the current session and published after you log in or create a new account. Please try to give a substantial answer, for discussions, please use comments and please do remember to vote (after you log in)!

[hide preview]

Question tools

Follow
1 follower

RSS

Stats

Asked: 2019-10-18 12:31:05 +0800

Seen: 11 times

Last updated: Oct 21

Support Options
  • Email Support
  • Training
  • Consulting
  • Outsourcing
Learn More