On Sun, Oct 27, 2019 at 00:50:17 -0400, Mike Gerwitz wrote:
> On Sat, Oct 26, 2019 at 09:48:37 +0200, tomas@tuxteam.de wrote:
>>> Passing session tokens via GET requests is a bad idea, because that
>>> leaks the token.
>>
>> Even in https?

[...]

> Back in what feels like a previous lifetime by now, I used to do a lot
> of work with phpBB2, which had an option to either store sessions in
> cookies or place PHPSESSID in the URL.  It modified every link to
> include a session id.  It tried to mitigate the issue by checking the
> source IP address, but if you were logged on the same network (e.g. in
> the same place of employment; school; library; etc), then sharing a link
> would lead to session hijacking.

Since I was in the mindset of leaking information, I forgot to mention
another negative side-effect of including tokens as query strings: it
can turn link sharing into a weapon using session fixation.  E.g. I
could create an account, send a link to you with my session token, and
you may then be logged into my account.  The user may then perform an
action that may benefit the attacker (or the action could be part of the
URL).

This is sometimes used as a poor-man's SSO. :x  It can also work with
POSTs: direct the user to an auto-submitting form.

Cookies are better suited for storing session tokens---you cannot set
cookie values for other domains without some other type of exploit
(e.g. XSS, but your cookies best be set to HTTP-only to mitigate that).

-- 
Mike Gerwitz