Why should application developers change the session ID names used by common web application development frameworks?
- These session ID names are not published in public documents.
- These session ID names can be used to fingerprint the application framework employed.
- These session ID names are used randomly and make integration of frameworks impossible.
- These session ID names typically contain a short length of numerical numbers and can be easily cracked.
|
Explanation & Hint: The session ID names used by the most common web application development frameworks can be easily fingerprinted. Some examples include PHPSESSID (PHP), JSESSIONID (J2EE), CFID and CFTOKEN (ColdFusion), and ASP.NET_SessionId (ASP .NET). These session ID names may indicate what framework and programming languages the web application uses. Changing the default session ID name of the web development framework to a generic name is recommended. |