Skip to content

Cookieless session considered dangerous

April 8, 2012

Another question came up: “What if users disable cookies – won’t session break?”. Yes. So will Forms Authentication and the Anonymous Identification Module. And so will half the web.

But wait — session state, forms authentication and the anonymous identification modules all have cookieless modes. Surely if that’s an option it’s fine to use, right? At my first job out of college I learned a lot and my favorite quote from a fellow employee named Jerry McCaffery was “Just because you can, doesn’t mean you should“. I love that quote.

Yes, those all have cookieless modes, but it’s insecure — it’s far too easy to share session IDs with other users. Here’s the problem: Say a bad guy goes to your product website and gets a URL with a session ID. They then send out a spam email for some product on your website to a million people and just one of those people follows the link. Image that person is then active in the application, adds the product to their shopping cart and starts to enter personal information (billing information, shipping address, etc.) which is then stored in that session. The problem is that the bad guy still has the same URL with the same session ID. They can come back to the website after the user and perhaps see the same session data that the other person entered.

Sure, you can try to take steps to avoid this, but it’s an extra attack vector you have to keep in mind that you (or a new hire, say) normally wouldn’t (and would probably forget about eventually). Simply not using the cookieless modes for session, et. al. avoids this attack vector entirely.

I think the irony here is that this feature exists because paranoid users think it’s more secure to completely disable cookies (instead of just persistent cookies).

6 Comments leave one →
  1. March 22, 2013 7:49 pm

    I agree with this mostly, but sometimes in the business world if you want to do business with another business and they turn off cookies as a business policy for security then you either do not do business with them or you use cookieless sessions. But of course you would have to do it in a way that would not comprise your other users or your site. The company I work for has to use cookieless for certain clients, but it is done knowing the risks at least and made for business reason.

  2. May 17, 2013 7:45 am

    nice blog

  3. May 17, 2013 7:49 am

    nice post

  4. rushdan permalink
    May 10, 2014 5:20 am

    nice article. I’m a newbie. Learn Session and Cookies in C#. Refer to your article , how to avoid or is any other ways instead to use cookies ? Thanks

    • May 11, 2014 9:46 am

      The article describes some options such as database, but you can use query string, hidden form fields, or you could use client-side state like WebStorage. Lots of options.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: