Session Management / Session Token in URL

Description

Session token in URL is a web and API vulnerability that occurs when an application passes a user's session token in the URL instead of using a secure cookie. This allows malicious users to gain access to the user's session token, which can be used to gain unauthorized access. The issue is classified as CWE-598: Use of GET Request Method With Sensitive Query Strings. OWASP lists the vulnerability as Information exposure through query strings in url.

Risk

This vulnerability is a high-risk vulnerability and can lead to serious consequences, such as data breaches and session hijacking. Session hijacking can lead to information leakage and impersonation of the user.

Solution

The best way to protect against this vulnerability is to avoid passing session tokens in URLs. Instead, store the session token in a secure cookie (HTTP only, secure and Same-Site lax/strict). It is also important to use HTTPS to protect against session hijacking.