2

Is having a GUID in a https url secure enough? Are there any security risks of using this way of authenticating users?

https://mywebsite.com/......?Guid=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Also what measures can be taken to make this kind of URLs more secure.

Display name
  • 151
  • 4
  • 1
    To a large degree, it depends on your threat model. See the other question to review the potential issues with secret URLs. – Xander Oct 16 '14 at 14:29
  • Also see other questions and their answers [on the topic](http://security.stackexchange.com/search?q=guid+url) – TildalWave Oct 16 '14 at 18:05

1 Answers1

5

A session id should be a Cookie parameter, and should never appear in the URL. Any value in the URL A will show up in the referer header, as well as access log files. A web application will end up transmitting authentication credentials to other websites, and storing them in plaintext on the filesystem.

Additionally, when you pass a session id in the URL, you open the door for Session Fixation.

rook
  • 46,916
  • 10
  • 92
  • 181