Stack Overflow
Stack Overflow

Questions tagged [session-hijacking]

Session hijacking is a type of network security attack that relies on "guessing" the ISNs of TCP packets and taking control over communication. The attacker intercepts and retransmits messages such as the communication is still on. The attack is performed using a program which appears as a service to the client and as a client to the server.

118 questions
1
vote
1 answer

Best way to do 'loose' IP check for protection against session hijacking

What is the best way to do 'loose' IP check for protection against session hijacking, which work both for IPv4 and IPv6? I got an array which saves all users ip addresses and how many times the user have connected from that address: $arr =…
Fredrik
  • 11
  • 1
1
vote
0 answers

IdentityServer4 Session Hijacking

We're creating B2B software that contains web-frontends which will be used oftenly by different users on one and the same browser-instance and on the same windows-user-session as well. The users are meant to "log out" of our web-frontend by using…
Ravior
  • 481
  • 1
  • 9
  • 24
1
vote
0 answers

Domain / DNS injection issue - scam links seemingly coming from my website

I recently looked into Google Search Console and it shows "Hacked: URL injection". There are several scam links that seemingly look like they are part of my website. I tried removing all hosting data but they were still accessible. So I asked my…
faze
  • 11
  • 1
1
vote
0 answers

How to avoid session hijacking in MVC5 + Identity? / Invalidate cookie server side

I have a fully working web app made with MVC5 and Aspnet Identity (local accounts + cookie based auth). We ran a security audit in the site and the results showed that our site is vulnerable to session hijacking. The steps to reproduce the…
l_degaray
  • 63
  • 7
1
vote
1 answer

presenting a session id to the server is causing session fixation

Consider my code below: when i call it up on my browser http://localhost/user_login.php?PHPSESSID=1234 when i…
user7838568
1
vote
1 answer

How to prevent session hijacking in Odoo 8?

I am building a product for my company on Odoo 8. I want to know how can i prevent my application from session hijacking. I have taken few steps for that : Changing session Id after successful login and Logout. Have used ssl also to encrypt data…
Seerat Mahajan
  • 11
  • 1
1
vote
0 answers

I see JSessionIds that don't belong to my webapp

I'm running a website on my own VPS and static IP. The website is a Java/Spring(MVC,Security) based application and runs inside tomcat 7 container. When I go to the tomcat manager page, I see over 300 session that are active and none of looks…
Suleiman Alrosan
  • 299
  • 1
  • 4
  • 14
1
vote
0 answers

Session Hijacking, is it possible?

I have tried with Postman with some SessionId to post authentication post request. My question, is very similar like this Post, It is: If a use java program to get a user sessionId ( stored in cookie) and send it to e.g. google for authentication…
PigeonIsBigBird
  • 39
  • 7
1
vote
0 answers

Session Hijacking? X-Forwarded-For, different between Login and subsequent request

When user login into the web application, I capture 3 values and stored it in session state: IP UserAgent http-X-Forwarded-For During login, http-x-forwarded-for has empty value. The log file shows that, the http-x-forwarded-for has a new value…
mjb
  • 6,155
  • 7
  • 35
  • 54
1
vote
1 answer

Session Hijacking Prevention in Java (Struts 2.0) | Error Encountered

I'm developing an application in Java which seems to have a session hijacking vulnerability. In order to prevent this, the recommendation is to change the JSESSIONID for a user after log in My application is based on Struts 2.0 and Tomcat 7 and I…
hemant sharma
  • 11
  • 3
1
vote
1 answer

Session hijacking prevention...how far will my script get me? additional prevention procedures?

When the user logs in the current session vairables are set $_SESSION['user']['timeout'] = time(); $_SESSION['user']['ip'] = $_SERVER['REMOTE_ADDR']; $_SESSION['user']['agent'] = $_SERVER['HTTP_USER_AGENT']; In my common.php page (required on ALL…
Yusaf Khaliq
  • 3,033
  • 10
  • 37
  • 80
1
vote
1 answer

PHP best practices to prevent session hijacking in authentication

Possible Duplicate: Preventing session hijacking I am coding up my login and authentication system for a PHP web application and looking for best practices to prevent session hijacking. The login page set's sessions: $_SESSION['email_address'] =…
Justin
  • 34,956
  • 68
  • 168
  • 266
1
vote
1 answer

Prevent session cookie hijacking WITHOUT SSL

To prevent session hijacking, i tried to assign a specific cookie name to each user based on these variables: User-agent and IP Address. I have used following function to generate session cookie name which holds session ID. static function…
zxcmehran
  • 1,267
  • 13
  • 24
1
vote
4 answers

Storing the user Password (serverside), connecting it to a cookie - security Issues

I'm trying to find a secure Solution to a Problem I have concerning Cookies / Sessions and DB Data. I already read trough different articles like http://www.devshed.com/c/a/PHP/Sessions-and-Cookies/ that explain different Cookie theft and Session…
Katai
  • 2,351
  • 2
  • 24
  • 37
1
vote
1 answer

Preventing facebook session hijacking

I'm building a financial services web application and my company wants to incorporate facebook authentication into it. Because we're in the finance world, security is paramount. I'm using the facebook PHP SDK for integration, but I'm really…
user1387983
  • 11
  • 1
1 2 3
4
5 6 7 8