Cookieless session considered dangerous

Another question came up: “What if users disable cookies – won’t session break?”. Yes. So will Forms Authentication and the Anonymous Identification Module. And so will half the web.

But wait — session state, forms authentication and the anonymous identification modules all have cookieless modes. Surely if that’s an option it’s fine to use, right? At my first job out of college I learned a lot and my favorite quote from a fellow employee named Jerry McCaffery was “Just because you can, doesn’t mean you should“. I love that quote.

Yes, those all have cookieless modes, but it’s insecure — it’s far too easy to share session IDs with other users. Here’s the problem: Say a bad guy goes to your product website and gets a URL with a session ID. They then send out a spam email for some product on your website to a million people and just one of those people follows the link. Image that person is then active in the application, adds the product to their shopping cart and starts to enter personal information (billing information, shipping address, etc.) which is then stored in that session. The problem is that the bad guy still has the same URL with the same session ID. They can come back to the website after the user and perhaps see the same session data that the other person entered.

Sure, you can try to take steps to avoid this, but it’s an extra attack vector you have to keep in mind that you (or a new hire, say) normally wouldn’t (and would probably forget about eventually). Simply not using the cookieless modes for session, et. al. avoids this attack vector entirely.

I think the irony here is that this feature exists because paranoid users think it’s more secure to completely disable cookies (instead of just persistent cookies).