A client has corporate guidelines that require all apps to be installed on their servers and to pass a thorough security check. They use HP's Fortify On Demand security software for their security reviews.
So far we were able to solve all the "issues" detected by this software but one: "Session Token Passed in Query String" (Medium). I've attached a .doc file with the detailed issue information as provided by HP's software.
The recommendation of the software is:
The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method, preferably with encryption enabled.
Although it's a medium issue they are asking us to solve it to move forward so we must somehow solve it, or provide a technical explanation explaining why it does not apply.
I found this doc about sesskey https://docs.moodle.org/dev/Security:Cross-site_request_forgery but I was unable to find more info nor have I found anything on the forums related to a similar situation from other member of the community.
As far as I understand Moodle is not using sesskey for transmitting session tokens (as the review software implies) but to validate what is being transmitted using HTTP cookies so this "issue" would not apply.
Can somebody help me with a more detailed technical explanation as to why this "issue" would not apply to Moodle (if that's the case) or how to, if possible, modify Moodle to comply?