function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
Krishna Prasad K PKrishna Prasad K P 

Is it safe to pass Session ID through URL?

Guys, I need to open a web based application from Salesforce. I wanted the application to call back to SFDC to get some data. So I was thinking of passing SFDC session ID and server URL as query string parameters to the destination page. Is it safe to expose the Session ID in URL query string parameters? I am curious on whether the query string parameters in the URL be visible over the network even though the end point is an  "https" URL..? Strangely when you right click a code in Eclipse-Force.com-IDE and select "Force.com>>Show in Salesforce web" it automatically opens up SFDC page by passing the session ID in the URL.However I am curious about how secure sending session ID through URL.? Please let me know your thoughts on it.

 

Thanks,

Krishna

Jia HuJia Hu
I guess it is not save, but I also what to know why.

Check the blog below, there is a similar discussion.

More Secure Sites Forms with Encrypted Keys
http://blogs.developerforce.com/engineering/2009/08/more-secure-sites-webforms-with-encrypted-keys.html
Timba-InfoSecTimba-InfoSec

I would pass it through a cookie just to be on the safe side. 

Krishna Prasad K PKrishna Prasad K P

@Timba-InfoSec,

How to pass them through cookie to another web application?

 

Thanks,

Krishna

IvanVIvanV

Technically, if it's not over SSL (https), it's not safe.

sfdcfoxsfdcfox

If your endpoint is secure (using https), and your server logs are also secure (e.g. you have total control over the server and those files are properly restricted or scrubbed), then it is indeed safe to pass a session ID via a URL. Not only does the Force.com IDE do this, but Connect for Outlook also does this. When possible, however, you should strongly consider using cookies or a SOAP call instead, which places the security token out of the URL; server logs won't accidentally capture the Session ID tokens this way. Also, make sure your server automatically rejects insecure connections. As an additional layer of security, consider validating the client certificate before allowing the SSL connection.