Session_id is visible in page source, is it ok?

By : Roman
Source: Stackoverflow.com
Question!

I'm sending the session_id with the javascript. The session_id is visible in source of the page like:

function startUpload(id){
    var queryString = '&' + $('#new_doc_upload').serialize() + "&session_id=" + "01dfda2def225bae907b129d2ffb1";
    $('#fileUpload').fileUploadSettings('scriptData',queryString);
    $('#fileUpload').fileUploadStart();
}

Is it ok that the session_id is visible or can is it a security issue? Thanks.

By : Roman


Answers
I would argue that it's perfectly fine. My rationale is that PHP sends it in clear text and so does the browser when you use sessions. Here's what happens in the background when you make a web request:

> GET / HTTP/1.1
Host: example.com
Accept: */*

< HTTP/1.1 200 OK
< Date: Tue, 12 Jul 2011 07:00:26 GMT
< Server: Apache
< Set-Cookie: PHP_SESSID=2873fd75b29380bc9d775e43e41dc898; path=/; domain=example.com; secure
< P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
< Vary: Accept-Encoding
< Content-Length: 5538
< Content-Type: text/html; charset=UTF-8

As you can see, I made a GET request and the server response with Set-Cookie: PHP_SESSID= followed by my session ID. Anyone that's "sniffing" the request who would be able to see the session ID in the JavaScript would be able to get it from the headers too. The only thing to worry about would be things like malicious browser plugins and other exploits that are not likely but can be avoided by properly securing your code.

I'd recommend that you look at http://phpsec.org/projects/guide/4.html for some tips and information on session hijacking.



It's okay. It's probably not ideal, but anyone interested in hacking your sessions will look for it in the other places you might have put it anyway (cookies, etc.), so you're not lowering the bar much if at all. (Java EE stuff does this as a fallback if cookies don't work, appending ;jsessionid=xxx to every URL.)

The important thing is to ensure that it's difficult to hijack sessions, regardless of how the hacker got the session ID. (By binding the session to the source IP address and checking that at the server level on every request, using sane timeouts, and the various other techniques.)



I recently did this while working on a google earth plugin project. It didn't use the browser's cookies so I had to pass session variables in the url with javascript which grabbed it from the html. There are no security issues.



This video can help you solving your question :)
By: admin