In a website, cookies and Sessions are used to store information. These are a tasty treat for malicious hackers. Once an attacker gets their hands on a session ID, they can get unauthorized access to a web application and fully impersonate a valid user.
The term “session hijacking” refers to an attacker taking over a portion of a session and act as one of those participants.
How does session hijacking work?
- Session hijacking happens when an intruder takes advantage of a compromised active session by hijacking or stealing the HTTP cookies used to maintain a session on most websites.
- Another way is by predicting an active session to gain unauthorized access to information in a remote web server without detection as the intruder uses the credentials of the particular user.
Session Hijacking Countermeasures
To keep your system strong to session hijack attack, follow these rules:
- End-to-end encryption between the user’s browser and the web server using a secure connection, which prevents unauthorized access to the session ID.
- Change the session ID after the user logs in. There should be an automatic log off if a session ends in use, and the client should be required to re-authenticate using a different session ID.
- Set the HttpOnly flag for session cookies.
- Generate long and random session cookies, which reduces the chances of an adversary guessing or predicting what a session cookie could be.
- Use secure and well-tested session ID generation and management mechanisms tools available in popular frameworks.
