malithie
commented
5 years ago @athipathy-gunasekaran,
The 'sessionDataKey' query parameter that you have noted is very similar to the local state information maintenance parameters in protocols like SAML and OAuth. In SAML, there is a binding specific request parameter called 'RelayState' and in OAuth there is a request parameter called 'state', which are used to maintain the state between the request and callback. Both are again query parameters. Similarly in WSO2 Identity Server 'sessionDataKey' query parameter is used to coordinate the request state across components participating in the request flow. That does not correlate with the user session. Also, the request state maintained against the 'sessionDataKey' parameter value is cleared by each participating component at the end of request flow.
Hope this clarifies your concern. In addition, appreciate if you can follow the process of reporting security vulnerabilities at [1], whenever you feel you are to raise a security concern.
Thanks
We are using Wso2 identity server v5.3.0 as the Identity provider for our web application.
We could see wso2 (authenticationendpoint) puts the session token ("sessiondatakey") in the request url when the user tries to login to our application and this could lead session hijacking by an attacker.
so is there an alternative mechanism for transmitting session tokens, such as (sessiondatakey) HTTP cookies or hidden fields in forms that are submitted using the POST method.
A sample url that we captured from our dev machine is below.
https://wso2is-server.com/authenticationendpoint/login.do?RelayState=https%3A%2F%2Fwso2is-server.com%2Fportal&commonAuthCallerPath=%2Fsamlsso&forceAuth=false&passiveAuth=false&tenantDomain=carbon.super&sessionDataKey=0ac67c61-14af-43d2-9a4d-9a7a4c12790c&relyingParty=wso2is-server.com&type=samlsso&sp=wso2is-server.com&isSaaSApp=false&authenticators=BasicAuthenticator:LOCAL