Session hijacking is a type of network security attack that relies on "guessing" the ISNs of TCP packets and taking control over communication. The attacker intercepts and retransmits messages such as the communication is still on. The attack is performed using a program which appears as a service to the client and as a client to the server.
Questions tagged [session-hijacking]
118 questions
31
votes
2 answers
How do I prevent session hijacking by simply copy a cookie from machine to another?
Most Web Applications use cookies to manage the session for a user and allow you to stay logged in even if the browser was closed.
Let's assume we did everything by the book to make sure the cookie itself is safe.
encrypt the content
set http…
Sam
- 443
- 1
- 4
- 7
22
votes
1 answer
Proper session hijacking prevention in PHP
I know this topic has been discussed a lot, but I have a few specific questions still not answered. For example:
// **PREVENTING SESSION HIJACKING**
// Prevents javascript XSS attacks aimed to steal the session ID
ini_set('session.cookie_httponly',…
federico-t
- 11,157
- 16
- 58
- 108
11
votes
3 answers
Session hijacking and PHP
Lets just consider the trust that the server have with the user.
Session fixation: To avoid the fixation I use session_regenerate_id() ONLY in authentication (login.php)
Session sidejacking: SSL encryption for the entire site.
Am I safe ?
Caio
- 2,920
- 6
- 34
- 51
9
votes
4 answers
Session Hijacking in practice
I have been reading up on session fixing/hijacking recently, and understand the theory.
What I don't understand is how this would be exploited in practice. Would you have to tamper with your browser to make use of the stolen cookies? Append it to…
Joshxtothe4
- 3,707
- 10
- 50
- 80
8
votes
8 answers
How to encrypt session id in cookie?
While I was reading about session hijacking articles, i learned that it would be nice to encrypt session id value that is stored in a cookie.
As far as I know, when I start a session by calling session_start(), PHP does not encrypt session id value…
Moon
- 20,835
- 65
- 174
- 263
8
votes
3 answers
Session hijacking or attack?
Lately I have seen this in my error log (1 per day, and I have 40k visitors per day):
[22-Sep-2009 21:13:52] PHP Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and…
Toto
- 2,142
- 20
- 37
8
votes
1 answer
Can someone who merely knows my current JSESSIONID impersonate / hijack my session (Tomcat 7/Glassfish 3.2))?
I'm looking for a plain English, "for dummies" explanation of how does JSESSIONID work from security aspects
Can someone who merely knows my current JSESSIONID impersonate / hijack my session?
In what scenarios JSESSIONID will be part of the URL,…
Eran Medan
- 41,875
- 56
- 175
- 268
7
votes
1 answer
Avoiding session hijacking in ASP.NET
I recently read an article on making ASP.NET sessions more secure here and at first it seems really useful.
Previously I had been storing the user's IP address in the session, then making sure in every subsequent request that the requesting IP was…
sjmeverett
- 1,196
- 10
- 21
7
votes
2 answers
Session Hijacking Protection in ASP.NET
I'd like to find out what session ID hijacking protection is built into the current version of ASP.NET.
I recently saw this very informative article that explains how session security can be enhanced by implementing an additional layer that encodes…
Martyn
- 1,369
- 2
- 15
- 28
7
votes
1 answer
Are sessions stored in a browser only?
My site is under a brute force attack in which the attackers are attempting to gain access to user accounts. The bots do not have a user agent. I have a system in place that blocks a person from signing in if they exceed 3 attempts per account in…
SHH
- 484
- 1
- 5
- 13
7
votes
1 answer
How does Stackoverflow keep users signed in over HTTP?
I've noticed that stackoverflow only uses SSL on the login page, and that questions/answers can be posted over HTTP.
Users must be logged in to do that, and so I'm wondering how stackoverflow manages to track which users are logged in, if SSL is…
stephenmurdoch
- 31,696
- 27
- 107
- 175
6
votes
1 answer
Session Replay vs Session Fixation vs Session Hijacking
Can anyone give a clear difference between session fixation, session replay and session hijacking attacks? I have read many articles, but the matter is still unclear between session hijacking and session replay attacks.
swapneil dash
- 61
- 1
- 3
6
votes
1 answer
Session Management with Windows Authentication
In an ASP.NET web app, using Integrated Windows Authentication, is the session tied to the windows identity?
In other words, if I login (using IWA) to the app, and the app stores some "stuff" in my session, is this stuff accessible by session id…
AviD
- 12,592
- 6
- 59
- 90
6
votes
1 answer
Spring Security/JSF/Hibernate Accidental Session Hijacking on Tomcat?
Something very strange and embarrassing happened to me the other day and I don't have words to describe what happened.
My app runs Spring 3 integrated with JSF 2.1, Hibernate 4, Spring Security all on Tomcat 7. I was over the phone with someone…
maple_shaft
- 10,328
- 4
- 42
- 70
6
votes
2 answers
PHP Checking User Agent and IP To Prevent Session Hijacking
I'm trying to figure out how to prevent session hijacking. Here's what I was thinking of doing:
Along with the user id session, add a user agent and user IP session too. Every time a page is loaded, these sessions will be checked to see if they…
user870283