You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
socket.io will add ?sid= to the url when trying to connect
Steps to reproduce (if the current behaviour is a bug)
Normal use of socket.io client for javascript
Expected behaviour
Can we move the sid to header ?
Other information (e.g. stacktraces, related issues, suggestions how to fix)
Context:
We ran penn test against our socket app using ZAProxy. One of the alert we got is this:
Session ID in URL Rewrite:
URL rewrite is used to track user session ID. The session ID may be disclosed via cross-site referer header. In addition, the session ID might be stored in browser history or server logs.
adding sid to url is problematic according to zaproxy.
can someone explain the security risk if someone can get other people's sid ?
can it be used to listen/publish or get older messages ?
can we move the sid to Header ?
thanks
The text was updated successfully, but these errors were encountered:
You want to:
Current behaviour
socket.io will add
?sid=to the url when trying to connectSteps to reproduce (if the current behaviour is a bug)
Normal use of socket.io client for javascript
Expected behaviour
Can we move the sid to header ?
Other information (e.g. stacktraces, related issues, suggestions how to fix)
Context:
We ran penn test against our socket app using ZAProxy. One of the alert we got is this:
adding sid to url is problematic according to zaproxy.
my url is like this:
can someone explain the security risk if someone can get other people's sid ?
can it be used to listen/publish or get older messages ?
can we move the sid to Header ?
thanks
The text was updated successfully, but these errors were encountered: