I have been tasked with attempting to fix a problem with session management in a webserver. The code is written in c and is pretty old. Sessions are limited to creating a folder for a new session and a little php script runs on top and checks the SID is valid for a logged in user.

However the way the program works the SID is stored in the URL! so any copy pastes result in session hijacking. Now I’ve been told its not possible to change the fact that the SID is stored in the URL. It is not possible to use cookies as some customers have high security settings in their browsers and this also cannot be changed. The only things I can think of are URL rewriting storing the SID in a hidden field but I am still waiting for information from my manager, I don’t think it will be possible as the HTML files are pre written and I don’t think it is possible to add hidden fields to them, maybe this can be done on the fly by the server program, I’m not sure. And my last idea was to use tokens, or just to start a new session if a different IP address or User-Agent string is found even if it has a valid SID.

I don’t really know much about web security I am on a placement year from University and mainly C programming but have been given this task as a little side project which I would like to try and accomplish something with.

Do any of you have any pointers?
I know I’ve been vague and I’m not allowed to post any code 🙁 sorry
Thanks for you help in advance though.