Session ID in source code

Forum Moderators: coopster

Message Too Old, No Replies

Session ID in source code

bad idea?

Mike521

8:37 pm on Sep 14, 2010 (gmt 0)

I'm no expert on security so if anyone has input on the following situation I'd appreciate it.

I need to get a visitor's session ID into a javascript variable. I can do it in two ways:

<script type="text/javascript">
var sessionID = "<?php echo $sessionID; ?>";
</script>

OR, using jquery and ajax:

<script type="text/javascript">
$.get( "/showSessionID.php", function(data){
 window["sessionID"] = data;
});
</script>

The second method hides the session id from the source code, however it generates a 2nd page request that's almost unnecessary. So I'd prefer the first method as long as it doesn't pose any security risks.

The one minor problem I'm thinking is that search engines will cache their own session id in the source code, which will be viewable in cached pages, but the session id of a search engine spider isn't a big deal

Any thoughts, suggestions, alternatives?

Alcoholico

8:45 pm on Sep 14, 2010 (gmt 0)

Maybe use php to set a cookie and have js to read document.cookies.

Matthew1980

9:12 pm on Sep 14, 2010 (gmt 0)

Hi all,

Either way you will need to ensure that your users have js enabled; that's always one to watch out for, and personally either of those examples should/could work; though my preference would be the top one as I don't know enough about ajax to 'trust' it.

Cheers,
MRb

Mike521

3:14 pm on Sep 15, 2010 (gmt 0)

thanks for the input,

so no thoughts on just the basic security aspect of it? is it bad to have a session id in the source code?

rocknbil

4:37 pm on Sep 16, 2010 (gmt 0)

Maybe use php to set a cookie and have js to read document.cookies.

If you're using PHP sessions and cookies are enabled in the browser, you're already using cookies. Start a PHP session, navigate to the page, and view cookies for your domain - it's called PHPSESSID. This is how PHP sessions stay connected with the browser.

That being the case, I can't comment on whether or not it's secure (don't think it's insecure but could be wrong) but you can avoid the session in the Javascript entirely. Every time you need that value, read the PHPSESSID cookie. Don't worry about PSPSESSID's for other domains - a cookie can only be read from the domain it's been set on.

Note I have not tested this, but knowing the way cookies work - it should. :-)

Mike521

2:37 pm on Sep 17, 2010 (gmt 0)

actually I had a version of this that used javascript to read the cookie set by the system, but in some weird cases it wasn't working. I'll dig into that again and see if I can fix it, I just liked the idea of a solution that didn't rely on reading the cookie (what if cookies are disabled, etc)

Alcoholico

3:44 pm on Sep 17, 2010 (gmt 0)

If cookies are disabled, most likely javascript will be disabled too and either way sessions rely on cookies, if cookies are not available a session id will have to be appended to the URLs, you can force php sessions to work with cookies only but your session may and will fail if your user decides she/he does not like your cookies.