How to SPEEDUP your Android Studio ?

Here are some quick trips that I have tried to speed up Android Studio on my Windows 8.1 Laptop. I hope you have a laptop with 4GB RAM because that is recommended.

1) Un-Comment  (if there are commented) or if they are missing then add these 2 lines to the project gradle.properties file (See image below)

org.gradle.parallel=trueorg.gradle.configureondemand=false 

2) Add these 2 line to the gradle properties file at the location - C:\Users\DataScience\.gradle where 'DataScience' is the user that I have logged in with to my Windows machine. If your Windows user is Jim then the path for you should be C:\Users\Jim\.gradle

3) In android studio, you can enable offline work to make android studio run faster. To enable offline in android studio, just follow following step.  In Android Studio, go to file >> setting and click Compiler from side menu and then type --offline in the command-line options box and hit OK button like this:

Tracking Game : Big Data & Logistics

How can Amazon, FedEx, Flipcart of the world leverage the huge amount of customer and logistics data to improve, optimize the process and increase profits. Do you remember the  IBM RFID TV commercial in which ' A call center attendant is sitting on the highway stops a trucker and tells him "The Boxes you are carrying have told me you are lost and you are on the wrong road". The driver replies "May be the boxes should drive the truck'. (https://www.youtube.com/watch?v=oAvQcYcvyaw ) The advertisement was about RFID technology and since newer technologies are being used in logistics world.

Today's logistics is all about
1) Visualizing, Monitoring & Optimizing Delivery Routes
2) Ensuring Timely & Accurate Delivery by real time intervention
3) Predicting Future Demand and Peak Load by analyzing data
4) Reducing Inventory and optimizing processes

Big Data can help in achieving all the above goals. Amazon uses Big Data to optimize the supply chain. By using predictive analysis based algorithm like 'Anticipatory Delivery', many time Amazon surprises us by delivering items in a very short time -  X number of popular products are prepacked and already delivered to warehouses in certain cities based on the recent trend. Bluedart uses GPS based technology chip called 'SenseAware' that provides complete detail of each shipment including parameters like temp and humidity. 

These systems are nothing but solutions based on combination of current technologies like GPS, Hadoop, Complex Event Processing, Sensor Technology, Predictive Analysis and Recommendation Engine etc. Gartners, IDB and Forresters have already projected integrated Hadoop-like-systems that will work like a framework. Multiple flavors of Hadoop are already offered by different vendors and the competition has just started. What is important is that Logistics landscape has changed and by applying technology it has become affordable to monitor, track, optimize, innovate and at the same time reduce the operating cost. Today Haddop is not an option but a integral technology for the new generation Logistics Systems.

Big Data Strategy - Smarty & Hasty Learning Series

21) Is Big Data only for large enterprise? How do small enterprises leverage Big Data?

Whether you run a small business with just a few employees or you a large multinational enterprise you can benefit from big data. The constant stream of data flowing to and from us through everyday devices and products generates more market data than ever before. The amount of data we’re producing is growing at an incredibly rapid rate. In less than five years from today (2015), experts predict that our annual data creation will be in excess of 45 trillion gigabytes. With the amount of data available to individuals, corporations, and governments, there is no question that your business needs a Big Data Strategy.

                                    When we say Big Data Strategy what is required is a focused, data-driven strategy that will not just collect information but to use that information in the most effective ways possible to help your business overcome existing business challenges but also help improve your bottom line.

 

 

To define your Big Data strategy you should first have answers to these questions.

1) What is the biggest challenge for my enterprise/business today?

2) How can I know my customer better?

3) If I have better understanding of my data will it help to address business challenges?

4) How can I use analytics to get insights about my customers and their buying and spending patterns?

 

Once you have answered these questions you know what is the expected outcome of your BD Strategy and then you shall be able to define the strategy for Big Data for your business (you might take help from an expert).  Big Data is not just for big businesses with huge amount of data and it can help small business to strategize and increase their customer base and retain customers.

 

Take this example of a family owned small company that helped tourist find cheap and comfortable accommodation with homeowners. Company helps around 700+ homeowners to generate additional income by renting their spare rooms. The small company used an analytics tool to tap into data ranging from spreadsheets to databases and make the analysis available to home owners and contractors. The predictive analysis helped company save a large amount of money by better planning and demand/supply management. The company had expected the Big Data spending to provide returns in 3 years but they realized returns in 2 years. There are many more examples and I will share few of them in coming days.

Smart City Consulting - my blogs

Smart City blog posts links-

1) What Indian government should consider for planning Smart City

2) Planning For A Smart City

20) Tackling Top Telco Fraud's with Big Data and Complex Event Processing - Part- II

I am going to share a sample architecture that will help implement solutions to prevent fraud. The architecture combines Big Data technologies with Complex Event Processing (CEP) to provide a Smarter, Proactive system along with a Dashboard that will 'show relevant fraud events or potential fraud events' which will help prevent fraud.
The high level diagram of the Big Data-Complex Event Processing solution is self explanatory and the key points to be noted are :
1) Technologies  & products implemented in sample solution
2) Real Time Architecture to handle large amount of data
2) The way data in ingested, filtered & crunched
3) The way events are 'acted on' on-the-fly
4) The operations dashboard that will provide alerts and notifications so manual checking will be reduced
5) How analytics is going to be plugged into this architecture

Please feel free to mail me if you have questions.

19) Tackling Top Telco Fraud's with Big Data and Complex Event Processing - Part- I

Those of you who have not worked for a telecom company would be surprised to learn about the 'different type of fraud' faced by the telecom industry. Frauds are biggest cause of revenue loss to telecom companies and in general the top 5 types of fraud that a telecom faces are as follows (priority might differ for different  telcom companies)-

1) Sim Card Cloning Fraud : 

Fraud happens because there is no efficient way to check cloning, CSP have to perform manual checks to detect cloning, not efficient

2) Subscription Fraud Using Fake Identity: 
Subscription fraud involves the acquisition of telecommunications services using stolen or false credentials and/or identity  with no intention of paying. With subscription fraud, service providers lose revenue.
3) Roaming Data Fraud : 
Delay in getting Customer Roaming Call Data from roaming partner to home network paves the way for fraudsters to make roaming calls resulting in financial loss for the CSP, which is categorized a roaming fraud.

4) Internal fraud activity :   
Internal manipulation of the system, Account adjustments via Voucher Administration Terminal & Tampering with billing/rating systems are frauds that can be done by people who have access to systems
 
5) Frauds related to prepaid telecom services: 
A retail agent or call center agent may attach a value-added service (VAS) to an unsuspecting subscriber. For example, a ringtone can be added without the customer’s knowledge or permission, resulting in a commission for the agent. Currently there is no effective means to analyze the data and detect such kind of fraud. 

18) Telcos, challenge of Big Data & even Bigger Challenge of Telecom Fraudsters

Big Data brings an interesting set of technologies like Hadoop, Sentiment Analytics, Predictive Analytics. Big Data also brought a new generation of solutions. The only challenge as I have mentioned before is that technology & business need to sit together to analyze and identify the 'right' use cases before investing in Big Data.
      I have implemented Complex integration solution for telcom companies and realized that telco is a world by itself. An outsider will never realize the complex working of a telco and the huge volume of data that they generate! Telcom companies have always been in forefront of adopting latest technology innovations and rightly so. The ever growing customer base & network of Telco world generates humongous amount of data. Telcos requires their software to crunch data faster, filter out the noise & process faster.  Big Data makes way for Distributed Data Processing hubs for various Telco use cases. I am listing a few use cases that I have discussed with some of the top think tanks and innovators of Telcos.

Telecommunication Companies, Fraud Prevention & Big Data

One of the biggest challenge faced by telecom companies is fraud. Telecom companies loose more money to fraud then one can imagine. The fraudster use innovative technology to commit fraud so to detect and prevent fraud we need to use Predictive Analysis coupled with Big Data Processing on the large data generated by each phone, each switch, each tower, every second.

Take a quick look at some facts -

1.Telecom fraud is estimated  at $40 B globally and it is the single biggest cause of revenue loss for operators, costing them between 3% and 5% of their annual revenue. With rising competition & extremely low average revenue per user (ARPU), detecting fraud and plugging revenue leaks have become extremely important to reduce costs.


2.One study reports that the internal fraud (40.3%), roaming fraud (11.4%), pre-paid (10.8%), subscription (11.6%) and premium (13.1%) are the most important in terms of losses by values. 

3.Fraud connected to prepaid accounts is much easier to commit and harder to combat, since there is very little information on the subscriber, unlike postpaid accounts, where a credit check is usually done. Entry-level fraudulent activities such as subscription and impersonation are very serious since the cost is coming straight from the bottom line in the form of commissions and incentives.

4.The fraud management becomes more and more important as the new methods of access become available such as Cable networks,  Wireless networks, DSL, Satellite, Metropolitan Optical Networks running Ethernet, Broadband Wireless Systems (radio, microwave, or infrared).

5.Although there is an abundance of data generated by mobile devices and systems a large amount of data is not processed in real time.

6.Telco would like to detect critical events and patterns across all its data sources in real time, perform advanced in-memory analysis in real time and take preventive or corrective action in real time to providing better service to its customer and reducing the financial looses

'Google Now' Commands that you should try on your Android Phone : Tried & Tested

As most of us are aware the command 'Ok Google' on an Android phone invokes an interactive voice assistant that can understand a vocabulary of commands. So when you pick up your Android phone and say “OK Google” your phone goes in a listening mode and you can do things without touching the phone. So what do you say to your phone? What can you say to your phone? What all can Google assistant do for you?

I tried exploring the commands and here’s a list of just about everything you can say to Google Now. Another interesting thing, if Google Now doesn’t get your spoken commands right, you can correct it by saying “No, I said...” and trying the phrase again. The text in braces [] can is not part of the command and can be changed to customize the command.

General Commands

• How old is [Donald Trump]?
• Where was [Donald Trump.] born?
• Define [colloquial] (Or “What does [colloquial] mean?”)
• What time is it in [Mumbai]?
• Search for [photography tips]
• Show me pictures of [the Leaning Tower of Pisa]
• Do I need an umbrella today? What’s the weather like? What’s the weather in [New Orleans] [this weekend]?
• What the [Google] stock price? What is [Apple] trading at?
• What’s [182 yards] in [miles]? What is [12 ounces] in [liters]?
• What’s [135] divided by [7.5]? (A great many types of math equations will work.)
• Search [Tumblr] for [cat pictures] (more apps are added to this search-within-apps function all the time)

Device Control Commans

• Open [apple.com]
• Take a picture (“Take a photo” also works)
• Record a video
• Turn [on/off] [Bluetooth, Wi-Fi]
• Turn [on/off] [Flashlight] 

Productivity

• What’s the tip for [123 dollars]?
• Set an alarm for [1:30 am]
• Set a timer for [20 minutes]
• Create a calendar event: [Dinner with Ajay, Saturday at 9pm.]
• Remind me to [buy coffee at 7am] (try locations! Remind me to [buy coffee filters at BigBazar])
• What is my schedule for tomorrow? (also: What does my day look like [Friday]?)
• Where’s my package? (tracking confirmation must be in Gmail)
• Make a note: [update my router firmware] (also try “Note to self:” This works with multiple apps, and you can even email yourself!)
• Find [Anne Besant’s] [phone number] (Works with all info in your contacts - addresses, birthdays, etc.)
• Show me my bills. (or: My bills due this week.)

Communication

• Show me my last messages. (Then follow voice prompts)
• Call [John] (also works with relationships: Call [sister])
• Call [Mom] on speakerphone
• Text [Sister] [great job on that feature yesterday] (also works with relationships: Text [mom] [I’m not going to be able to pick you up from the airport, period, I’m a bad son, period])
• Send email to [Milind P], subject, [hunting], message, [I don’t think you should drink so much when you go hunting, period]
• Post to [Twitter]: [Oh its raining again!]
• What is French for [My name is Donald]?
• [Send a Hangout message] to [Dad].
• Send a [Viber] message to [Barak]: Hang on, I'm going to get more coffee. (works with WhatsApp, Viber, WeChat, Telegram, and NextPlus)

Navigation and Travel

• Where is the nearest [chinese restaurant]?
• Navigate to [Nariman Point, Mumbai] 
• Directions to [Fisherman’s Wharf] by [bike] (also try “Directions to home” or “How do I get home?”)
• Where is [the Louvre Museum]?
• Show me the menu for [Hell's Kitchen]
• Call [Salarjang Museum]
• Show me my flight info
• Where’s my hotel?
• What are some attractions around here?
• How do you say [good night] in [Chinese]?
• What is [50,000 yen] in [dollars]?
• What’s the flight status of [Jet flight [735]?
• Show me restaurants near my hotel -or- Give me directions back to my hotel (this works if your hotel confirmation was sent to your gmail account)

Entertainment Commands

• Play [solitaire] (also try tic-tac-toe)
• Play some music (opens “I’m feeling lucky” radio station in Google Play Music)
• Next Song / Pause Song
• Play [Happy] (songs must be in Google Play Music on your device)
• Watch [The Lego Movie] (movies and TV must be in your Google Play account)
• What’s this song?
• Listen to TV
• What songs does [Pharrell] sing?
• Read [Hunger Games]
• Did the [Giants] win today? What’s the score in the [Warriors] game?
• What movies are playing [tonight]? Where is [Toy Story] playing?

Sports Commands

• Say a team name to get the latest score during the season.
• When is the next [Warriors] game?
• Where are the [Giants] in the [MLB] standings?
• Who does [LeBron James] play for?
• Who won [the Superbowl]?
• When is the [Stanley Cup final]?

Must try Fun Commands...

Many of these deliver funny voice responses, but normal search results. Turn up your sound!

• What sounds does a [tiger] make?
• Flip a coin
• Roll dice (rolls a single six-sided die)
• What is the loneliest number?
• Do a barrel roll!
• Askew / Tilt
• Go go Gadget [Spotify]
• When am I?
• Make me a sandwich
• Who’s on first?
• Who are you?
• Beam me up, Scotty!

17) Smarter Border Security using Big Data

I have worked on designing Big Data solutions for various industries. My area of particular interest has been Border Security Solutions. There is immense scope to improve the border security solutions by use of various traditional & Big Data sources & make the security solutions smarter, more robust & predictive.

Any country's border can be penetrated by land, air & water through legal and illegal means. So a border security solution needs to consider more non-traditional data sources apart from the existing data sources.

1) Collection of critical surveillance data using sensor technology - Today various types of sensors, videos camera and connectivity solutions have become far more affordable and the data can be collected remotely, transmitted to a central server and processed in a speedy manner to get insights into various security factors that need to be analyzed for security of borders.

2) Telecom Data- Call Data Records,  Tower Data & User Data from telecommunication providers can be monitored and analyzed for identifying and tracking 'potential security threats'.

3) Voice & Data Analysis - Analysis of voice & data in the border areas can provide information about potential threats and breaches in the border area and most of the borders area already use this data for intercepting threat
communication.

4) Social Media Data- Analysis of data from social-media, blogs and internet call services can help in identifying discussions and profiles that could be involved in objectionable activities related to border areas.

5) Transport Data - Knowledge of vehicle owners & tracking of vehicles in the border areas can provide additional data that can be related to various security breaches and identify any new vehicle in the area. Will this information a mechanism can be defined to sanitize vehicle moving in and across borders.

6) People Data - Biometrics data of the residents of border areas should be used to identify 'new people' who have moved in the area. People movement along with various other threat data can be used to identify security threats and also help predict potential security breaches in border area

7) GPS data is collected by border security agencies and used for various objectives. A big Data solution can help analyze the GPS data to potential security threats as well as to help position security personal on the border thus enabling optimum use of security infrastructure

) Finally Big Data Analytics of the said data sources should help build a comprehensive analytics dashboard that can be used by border agency as well as the security personal that protect  the borders using hand held devices.  I would like to discuss Big Data Analytics and Mobile devices in more detail because this is one of the fastest growing areas of Big Data & Mobile.

Master Technology Architect Program 2015 : I received a lapel pin from our CTO Paul Daugherty

It was quite a pleasant surprise to receive Master Technology Architect lapel pin from Accenture  CTO Paul Daugherty. Now I can flaunt my certification on my coat!

What are the SOA Design Patterns every architect should know?

When I meet architects and developers at different forums I see some people consider SOA to be a independent optional discipline. The fact is tears back there was a time when concept of SOA was new and people had to decide if they should do changes to their application to make them SOA compliant. Today we are convinced about the benefits of SOA and it is defacto design principle. I would go to the extent of stating that if you are not following SOA Principles when designing and coding applications i any technology, any programming language then you are doing something very wrong.

My past employer Accenture was a pioneer in SOA implementation and innovation for SOA. I got opportunity to lead the SOA Practice, work with industry leaders and implement multiple projects as a SOA Architect for some of the top clients. The best way to learn is to implement solutions for the most demanding fortune 500 clients and I was fortunate to get the opportunity as the lead SOA architect for Accenture. One of my innovations SOA Service Bench won 1st prize in Accenture wide innovation contest and I was honored by Accenture CTO Don Rippert which probably is the most rewarding thing an architect wants in his career.

This post is about some basic SOA Design Patterns that you should be familiar with. You can evaluate your existing application to see if they implement these patterns and if not then analyze the benefits of  implementing the SOA Design patterns to make the applications SOA complaint. I assure you the benefits are immense in terms of maintainability, simplicity, loose coupling, reuse and atomic code.   If you require any guidance feel free to write to me. I usually respond to queries on weekend.

1. Agnostic Services
Service capabilities derived from specific concerns may not be useful to multiple service consumers, thereby reducing the re-usability potential of the agnostic services. Agnostic services implement logic that is common to multiple business problems. Separating agnostic logic into discrete services facilitates service reuse and composability.

2. Service Declaration
Agnostic services should explicitly declare that they are agnostic. This makes it clear to future designers and builders which services are designed to be reused.

3. Atomic Service Transaction
Services can be wrapped in atomic transactions with a rollback feature that reverses all actions and changes. Transaction management services can be implemented in the component layer and reused by multiple services.

4. Enterprise Service Bus (ESB)
An ESB acts as a message broker between consumers and services. The ESB can perform message transformations, routing and connect to applications via a variety of communication protocols. YOu can use open source ESB products.

5. Service Façade
The service façade sits between a service and a contract. It eliminates the tight coupling between the service and its contract. This is intended to minimize changes to the service if the contract changes. A service can have multiple service façades to support multiple contracts.

6. Long Running Services & Service Callback
A service requires its consumers to call it asynchronously. If the consumer needs a response it provides a callback address. When the service reaches some milestone in processing it messages the consumer with a response. This approach frees resources and is useful when services are expected to be long running.

7. Backward Compatibility & Multiple Service Contracts
A service may support multiple contracts concurrently. This can be done to support backward compatibility (so that when a service changes all the consumers do not have to be updated). It is also done to provide different views to the service for different purposes (thus facilitating reuse).


8. Authentication Broker
In an enterprise scenario an authentication broker assumes responsibility for authenticating consumers. Consumers are issued a token they can use to access services.

9. Message Origin Authentication
Digital certificates are used to authenticate enterprise clients.


10. Message Filtering
Messages are filtered for harmful data before processing.

16) What implementation should an enterprise prioritize - Mobile Applications,SaaS or Big Data?

Mobile Revolution, SaaS & Big Data followed in succession. Each of these technologies changed the playing field and churned the markets. Yet their are over 70% enterprises that have not implemented mobile platforms, over 90% enterprises that have not leveraged SaaS and over 99% enterprises that have not taken any Big Data initiative as yet. Don't worry about the accuracy of numbers because this is my conservative estimate and real numbers could vary by a huge 20% but the proportion of implementation should be very close.

And for the enterprises that have yet to implement any of these 3 technologies it is quite a clallenge, There are enterprises that were on the verge of building their mobile platforms and suddenly got hit by the SaaS wave and then the Big Data wave.
                            Mobile Platform roll out is a challenge by itself and I have worked on projects that have gone back and forth on mobility platform at times because of lack of understanding of the mobility architecture and at other times due to their rigid service layer which would have to be rebuilt to cater to the mobile platform because of the 'Different Nature & Requirements of Mobile User Interface'. The challenge is around using your existing architecture ad capabilities to support the Mobile Application instead of replicating and rebuilding applications for mobile & we can say the challenge is to implement a classic Service Oriented Architecture to reuse the existing services of the enterprise applications.
                            SaaS or Software as a Service is  value proposition and the need of the hour but it will take some time for enterprises to move to SaaS.  To implement SaaS in true sense, apart from the challenges faced by Mobile implementation there are additional challenges across architecture layers. The good part is that three are multiple 'Multi-Tenancy Models' and an enterprise can implement SaaS incrementally and still derive the benefits of the shared model. My opinion is enterprise should start Mobile & SaaS implementation in parallel. Of course the need an experienced architect to guide them and the 1st step of each implementation would be to build a working prototype.It is also very important to educate the employee of the structural and cultural changes that come along adapting these 2 technologies but that is something we will not discuss here.
                          Finally Big Data, the Big Daddy everybody wants to tell the world that they have Got It Tamed but nobody knows whats will be the end result. No kidding! Ask Apple, Amazon, Bestbusy, IBM, Telstra, AT&T and many other who got started with a humble goal. This is because unless you have a clear understanding of the varacity of Bog Data for your enterprise and its applicability to various areas of business it does not make sense to invest in Big Data. So first things first is to study the changing industry landscape, revisit the enterprise vision and update it and then define the Big Data Vision. I think it is clear that Big Data implementation can follow as you start implementing Mobility and SaaS or even better have all three programs run in parallel if you can. I will be happy to exchange learning's with these technologies if you drop me a mail. Cheers!

15) Tribute to my Idol Scientist & Ex President APJ Abdul Kalam (aka. Father of Indian Nuclear Program & Missile Man)

Most hard working people retire at age of 75 and enjoy a relaxed lifestyle. Those who are fit like to travel across the globe visiting countries & enjoying life and there are few 84 years old people like Indian Ex-President APJ Abdul Kalam who continue to work 24/7, sharing their vision & experience with the youth and guiding them. It is interesting that at the age of 84 Mr Kalam would share his personal email-id at a press conferences & invites people to write to him and guarantees a reply with 24 hours. I have been proud of the fact that I always reply to my business emails, the same day I receive them but I cannot imagine myself sharing my email-id with entire India and replying to any question on any subject 24/7 like Kalam did, it takes Mr.Kalam to Just Do It.
                   I become Mr.Kalam's fan when I heard his interview after 'Pokhran' nuclear test which made India became a nuclear power under his leadership. Most people don't realize the impact of becoming a Nuclear power and if you read last few years of history you will realize the change in world's outlook towards India pre/post becoming a Nuclear power. Interestingly it took two most honest and non-violent people Atal Bihari Vajpaye & Dr Kalam to finally make it happen. When a reporter asked him 'Why does India need a nuclear bomb?'  Dr.Kalam's reply was ' Today the world's top 4 nations are nuclear power and if India wants to be 'Heard as a leader' we cannot sit and do Tapas ( Tapas or Tapsya meaning Doing Penance)'. To be heard as a leader India needs to be one of the top 5 powerful nations and that is why India had to develop its nuclear program.'  If you have heard his lectures would know that Dr. Kalam approach was always Practical, Precise and to the Point and he conveyed his ideas in a very polite way. I like his examples of what a good leader should be like. He said a good leader should face the world and own teams failures & when the team succeeds the leader should let the team take the center stage and he himself should take a back seat - I wish we had more and more leaders following his example. There are far too many leaders who are too eager to own the credit that at times rightfully belongs to someone else or the entire team. He said leaders are watched by people and followed so their integrity should be beyond question and at 84th year of his life he enjoys the popularity because of his honesty, integrity & character. Kalam said a leader should be courageous and should be able to take difficult decisions. I have seen leaders who have been scared of taking tough decisions even when the risk was minimal and the leader fails to understand that a wrong decision put his team back by ages. I wish Indian political leaders would start following Kalam's principles if only to become popular and succeed like Dr.Kalam because no Indian has tasted success like Dr.Kalam in recent years.

I can think of few leadership principles that may not be part of Dr Kalam's speeches but I have observed these qualities in Mr.Kalam and many other good leaders.

1) A leader should be friendly and approachable to everybody in his team - remember Mr.Kalam himself used to read emails sent by anybody & ever body even after he retired.

2) A leader should regularly communicate with his team. Leader's communication should be crisp and to the point and he should listen to the spoken and unspoken.

3) Leader should seek opportunity to appreciate his team rather than finding faults in his team and the team will work hard to seek his appreciation


I did not have the fortune to meet the great APJ but I always felt I had a connect with the man. I guess each patriotic Indian today feels that he has a connect with APJ Abdul Kalam and that is what makes him People's President - a loving title that no other president in the world has been bestowed with by the people. I am happy my son has a modern Indian Idol to follow and I can tell him stories of the great Dr APJ Abdul Kalam.

Rest in peace Sir, Dr Avul Pakir Jainulabdeen Abdul Kalam. You will always be loved and remembered by India

Session Token In URL Vulnerability

The HTTP protocol and web servers are stateless by nature. This means that there is no way for them to track user activity. The web server treats every request as a new one. For this reason, browsers and web servers need to use session tokens. Session tokens are unique pieces of information shared between the browser and the server. They make it possible to track user activity and differentiate between users. For example, an e-commerce application may use a session token to identify the shopping cart that belongs to a particular user.
There are different ways to share session tokens. They are most commonly included in cookies but alternative methods are quite widespread as well. Such methods include sending the session tokens directly in URLs, in dynamically rewritten URLs, or hidden in the HTML source of the web page. These methods are also often combined and on the rise because users often disable cookies in web browsers due to privacy concerns.
Why Is Using Session Tokens in URLs a Bad Idea?
The easiest method of sharing session tokens is placing one directly in the URL, for example, http://www.example.com/account.php?token=12345. Using such an URL, a user who was authenticated earlier can access their account. This method is not inherently insecure but if the session token is not validated by the server, it could lead to potentially high-risk vulnerabilities.
If you place a session token directly in the URL, it increases the risk of an attacker capturing and exploiting it. Anyone who follows that URL inherits the session. When you connect to the web server using HTTPS the risk is less than if you use HTTP but it is still a threat.
HTTPS URLs are encrypted during transmission but they are often stored in server logs. Anyone who gains access to the logs can exploit these tokens. In the worst case, this can lead to session fixation or session hijacking. Therefore, even though we classify the Session Token in URL vulnerability as low severity, you should not take it lightly.
What Are the Alternatives?
Applications should use alternative methods of sharing session tokens, for example, HTTP cookies. You should also encrypt such applications because it is possible to retrieve session tokens from unencrypted applications.If you cannot use cookies, you can send session tokens using hidden input fields. Unfortunately, this is also not foolproof. Attackers may explore the HTML source code to identify and hack hidden fields used to send these tokens. For more on Session hacking read my post about

What is Session Hacking?