Session should work without cookie

[mxfli]

Disable browser cookie, session does not work. PHP and JSP append sessionId to the URL, if cookie is disabled.

[fceller]

I'm facing the same problem. I had a brief look into session.js as I also need to modify the way session identifiers are generated. I believe I understand what has to be done to parse a URL parameter instead of a cookie.

However, I don't understand, if there is a general hook, to modify the generated links. All links need to be enriched with the additional parameter. I assume if one uses a template engine like Jade, then it should be possible to modify this engine to emit the additional parameter, but I might be wrong. Any hints welcome.

[macavon]

Please don't do this.

If the session id is included in the query string, it will be sent in the Referer header when a visitor to your site clicks on a link. This makes session hi-jacking trivial. All an attacker needs to do is post a comment or something similar with a link in it to a script that extracts the session id from the query string in the Referer header, then covers its tracks.

Similarly, if somebody emails a link to a page on your site while they are logged in, they will be emailing their session, so if the recipient clicks on the link, they will be logged in as the sender.

If somebody bookmarks a link with a session id, they will effectively preserve their session forever.

You'll notice that in PHP, this facility is now disabled by default.

If anybody really feels they must add it to Connect/Express, for everybody's sake, disable it by default and add a prominent security warning.

[tj]

yeah i dont plan on it