The session_code and execute should not be visible in URL

[hokuda]

Description

The session_code (and execution) should not be visible in the URL.

Discussion

No response

Motivation

Sending CSRF token in URL is not a safe measure. Although it is possible to include tokens CSRF in the URL, it is not recommended for several reasons:

• Visibility: When CSRF tokens are sent in the URL, are exposed in the browser history, server logs and possibly in the address bar. This increases the risk that an attacker could steal the token.
• Referral Leakage: If a website has links to other sites (e.g., social media links or advertisements), CSRF tokens will also be included in those links. This could leak the token to unauthorized third parties.
• Browser Cache: Some browsers can cache URLs, which means that even after logging out, the CSRF token may remain in the browser cache and be accessible for future requests.
• Direct Reference Vulnerability: If an attacker gains access to the CSRF token in the URL (for example, through a malicious link), you could use it to perform unauthorized actions on behalf of the user.

Instead of sending CSRF tokens in the URL, it is recommended to use other more secure techniques, such as:

• Secure cookies: Store the CSRF token in a secure cookie with the following mark HttpOnly so that it is not accessible from JavaScript.
• Custom headers: Send CSRF token in custom header (such as, X-CSRF-Token) instead of the URL. (Though it is not available for generic browsers, but for specific clients with Spring Security)
• Hidden forms: Include CSRF token in a hidden field within HTML forms.

Details

No response