Session Token Disclosure in URL

A recent penetration test on my app raised the following issue:

"A session identifier was observed to be disclosed within a URL parameter. Sensitive information contained within URLs may be logged in various locations, including user browsers, web servers, and any forward or reverse proxy servers between communication endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may also be disclosed to third parties via the ‘Referer’ header when any off-site links are followed. This is an OWASP top 10 vulnerability.

The host was identified to disclose session token via the ‘token’ parameter in a GET request. Furthermore, the ‘okta_key’ value was also observed to be transmitted.

Sample Request:GET /login/sessionCookieRedirect?checkAccountSetupComplete=true&token=[REDACTED]&redirectUrl=https%3A%2F%2F[REDACTED]%2Foauth2%2Fv1%2Fauthorize%2Fredirect%3Fokta_key%3D[REDACTED]HTTP/2Host: [REDACTED]Cookie: JSESSIONID=0FF50B952B96AB5B0B110645CC8AFD2B; t=default; DT=DI0khjXly6LQ8KGHQrr1qecAgUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: https://[REDACTED]/login/login.htm?fromURI=/oauth2/v1/authorize/redirect?okta_key=[REDACTED]"

Is there anyway to prevent this?


The token value is immediately invalidated after it is used and will expire in (30 seconds or 5 minutes need to check) if it is never used.
So if the browser or any device logs this during a request it will be invalidated if said device tried to use it immediately after.
Unless the device also blocks the browser request and that request never reaches the Okta endpoint.