During a gray-box assessment you notice the target web application propagates its session identifier as a long Base64 token appended to the query string of every internal hyperlink (for example, /dashboard?sid=eyJhbGciOi…). From a web application security perspective, what is the primary risk introduced by carrying authentication data in the URL instead of in an HttpOnly cookie?
JavaScript running in the same origin cannot read the token, preventing the application from implementing effective CSRF defenses.
The session token may leak through browser history, server logs, and Referer headers, making it easy for attackers to steal and reuse it.
Browsers will refuse to transmit the token over HTTPS connections, so authenticated requests will fail when TLS is used.
Placing the token in the URL disables the browser's same-origin policy, allowing any external domain to issue privileged requests.
URLs are routinely stored or forwarded by components that are outside the application's control. When a session token appears in the query string it is likely to be written to the browser's history, bookmarked by users, logged by web servers and proxy devices, and-most critically-sent in the Referer header when the user follows a link to an external site. Any party that can access those stores or headers can recover the token and hijack the session. Using an HttpOnly cookie keeps the value out of URLs, history, logs, and Referer headers, and prevents JavaScript from reading it, greatly reducing the chance of accidental disclosure. The other options describe effects that are either inaccurate or unrelated to this specific implementation flaw.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a session identifier in web applications?
Open an interactive chat with Bash
What is Base64 encoding, and why is it used for session tokens?
Open an interactive chat with Bash
How does storing session tokens as HttpOnly cookies protect them?
Open an interactive chat with Bash
What is Base64 encoding and why is it used in web applications?
Open an interactive chat with Bash
What is the role of the Referer header in web security risks?
Open an interactive chat with Bash
What are HttpOnly cookies and how do they enhance session security?
Open an interactive chat with Bash
Certified Ethical Hacker (CEH)
Web Application Hacking
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .