URL contain a sensitive query parameter and stored in the browser history. Web application may be configured log the URL of all request. So, result is sensitive parameter is saved in the log.
Fix:
The solution to this problem requires two steps:
· If necessary then pass sensitive data. Once a user is authenticated with a session ID limited lifetime.
· Use non-persistent, session level cookies to hold session IDs and other private data.
The advantage of using session level cookies to carry this information:
· They are not stored in the browsers history or on the disk
· They are usually not stored in server logs
· They are not passed to embedded resources such as images or javascript libraries
. They only apply to the domain and path for which they were issued
Comentários