XSS vulnerability protection

Question

XSS vulnerability is exploited because the browser stores the cookie with the session id , so any access to the URL of the site you are logged in, goes with privileges of the logged in user.

What if instead using cookies, we log in the user via the URI, by adding the session on the URI itself? like this:

http://domain.com/123456/index.php?mailbox=Inbox

Here, the "123456" is the session id. For attacker, to exploit XSS this way, it would be much more difficult, because the cookie is not set, and there is no way to access user's URI history.

The drawback is that you have to propagate the session id on the URI for each link when you deliver any page to the user, and if it is lost, the user will be logged out automatically. But this would be more secure.

Can this solution protect from XSS vulnerability?

Possible duplicate of [Harm of passing session id as url parameter](http://stackoverflow.com/questions/27499977/harm-of-passing-session-id-as-url-parameter) — deceze, Feb 05 '16 at 08:57

score 1 · Accepted Answer · answered Feb 05 '16 at 19:53

1

You're talking about CSRF not XSS.

The recommended way to prevent CSRF is to use the Synchronizing Token Pattern.

Putting session ids in the URL is a bad idea. It means you can't bookmark or share URLs safely.

answered Feb 05 '16 at 19:53

Neil McGuigan

46,580
12
123
152

Plus it leaks the session ID to any linked page/resource thanks to the Referer header, and it allows for easy session fixation attacks. That Java Servlet still enables this dreadful misbehaviour by default in this day and age is terrifying. – bobince Feb 07 '16 at 17:51

XSS vulnerability protection

1 Answers1