Back to Security Pattern Catalog

Directed Session

Classification Key : Core Security, Information Disclosure


E-commerce sites need to collect a great deal of data for each transaction. The web applications collect these data in multiple consecutive web pages. If an attacker can anticipate the URI of the web pages that he has to traverse, then he can bypass some of the validation checks. How can the attacker be restricted from jumping between URLs in a session ?


Expose a single URL to the user. Provide access to all pages relevant to a session from that URL. Initially serve the home page. Store session data in the server to determine which page to serve next. Enforce the path that a client can take during navigation.

Known Uses’s checkout process.


Kienzle et. al. Repository


Session, User Interface


Last modified: May 05, 2012

Conceived and Maintained by: Munawar Hafiz