Session id in url instead of cookies?

[tarkhil]

Hello

Did anyone implement keeping session id in URL? I need several different sessions for prototyping, and I'd prefer to put id to URL rather than to cookie, just for testing purposes and for ability to share session by sending URL.

[guest20]

There are pretty severe security consequences to having this in a production app.

If a bad guy knows your session id he's you. So if an admin logs into a session sent to them by a bad guy, that bad guy is now an admin on your site. It's called a session fixation attack.

Your webserver will also log all those session ids, and so anyone who gets into your logs is effectively automatically logged in as anyone who's link they click. This is a big problem if you use analytics tools because first, all urls are unique, and second, if a user of the analytics tool can view any urls, they can become the user who requested that url.

An alternate way you can get multiple sessions in the same app by pointing several sub-domains at your app, deleting cookies for the whole domain, and logging into each of those sub-domains. (like pointing admin-user.localhost, regularr-user.localhost, and nobody.localhost at your local dev server and then logging into each of them).

If you have your own session store that uses ids (instead of the mojo default which just shoves everything in json in a signed cookie) you could recover a session id from a get parameter in a hook when mode eq development

[tarkhil]

Sure, I know. That's exactly what I need for test purposes, the site will be password-protected from the top, by nginx.
I need to test easily the site with 4-5 users logged in. Closed test. No analytics required, no security problems possible. However, ability to send URL to make user instantly logged in is more than helpful.
I'll think on my own store and maybe publish the results.