Back to Security Pattern Catalog




Directed Session


Classification Key : Core Security, Information Disclosure

Problem

E-commerce sites need to collect a great deal of data for each transaction. The web applications collect these data in multiple consecutive web pages. If an attacker can anticipate the URI of the web pages that he has to traverse, then he can bypass some of the validation checks. How can the attacker be restricted from jumping between URLs in a session ?

Solution

Expose a single URL to the user. Provide access to all pages relevant to a session from that URL. Initially serve the home page. Store session data in the server to determine which page to serve next. Enforce the path that a client can take during navigation.

Known Uses

Amazon.com’s checkout process.

Source

Kienzle et. al. Repository

Tags

Session, User Interface


 

Last modified: May 05, 2012

Conceived and Maintained by: Munawar Hafiz