Is it good practice to display the session id in the url?

Question

I am using PHP 4+ and I am working in a project of osCommerce, where I encounter with the session id in the url, so i just need to know, is it a good practice display the session id on the url? if yes then why? and if no then why? and how can i hide the session id in url and use any substitute string there in url?

Answer 1

There's no point putting a substitute string in there - the point is, that if you are using URL-driven rather than cookie-driven session tracking, what is in the URL must identify the session. Whether it's the actual session ID or something that it can be derived from is neither here nor there - you're not making things any more secure by obfuscating.

Whether it's a good idea depends partly on the added security around it. If you can take a session-embedded URL from one machine to another and just carry on as if the same user in the same session, then no, it isn't. But you need to know more about the site behind it all to answer the question.

Answer 2

URL session IDs were used when cookies were not supported/enabled widely. I don't think there is any justification to use them today. They look ugly, they are user-unfriendly (you can't just type in the URL and expect to be logged in), and they are security risks as (though they are not necessarily vulnerable themselves) they make session hijacking vulnerabilities much easier to exploit.