put session ID in a cookie

asked 2019-10-18 12:31:05 +0800

Dear all,

My application has been penetration test using owasp-zap-proxy-login, and there 1 finding :

Method GET Evidence jsessionid=D766C74F5887F7B16EDA11E165C5661B

URL http://..*.123/abc/zkau/web/eb3e6a52 /js/zk.wpd;jsessionid=D766C74F5887F7B16EDA11E165C5661B

Method GET Evidence jsessionid=D766C74F5887F7B16EDA11E165C5661B

Solution For secure content, put session ID in a cookie. To be even more secure consider using a combination of cookie and URL rewrite.

What should i do to cover this finding ?

Best Regards, Tata. K

1 Answer

Sort by » oldest newest most voted

answered 2019-10-21 10:57:41 +0800

cor3000
6280 ● 2 ● 7

the way session IDs are handled are configured at container level, ZK doesn't have a related configuration.

Please check your server's documentation, and apply the relevant/desired settings:

e.g. this post mentions how to disable URL rewriting (just use cookies - avoid adding the session ID in the URL) in tomcat: https://stackoverflow.com/a/962757/4740707