Session Hijacking & Cookies

25 November 2020
Jeppe
Cybersecurity

What is a Session Hijacking Attack?

Page Contents

- - - 0.0.0.0.1 What is a Session Hijacking Attack?

1
- - - - 1.0.0.0.1 How does session hijacking work?
      - 1.0.0.0.2 Countermeasures to Session Hijacking

On a website, cookies and Sessions are used to store information. Cookies are a tasty treat for malicious hackers. Once an attacker gets their hands on a session ID, they can get unauthorized access to a web application and fully impersonate a valid user.

The term “Session hijacking” refers to an attacker taking over a portion of a session and act as one of the benevolent participants.

Actually, there is more than one type of them:

How does session hijacking work?

Session hijacking happens when an intruder takes advantage of a compromised active session by hijacking or stealing the HTTP cookies used to maintain a session on most websites.

Another way is by predicting an active session to gain unauthorized access to information in a remote web server without detection as the intruder uses the credentials of the particular user.

Countermeasures to Session Hijacking

To keep your system strong against session hijack attack, follow these guidelines:

1. Use secure and well-tested session ID generation and management mechanisms tools available in popular frameworks.

2. End-to-end encryption between the user’s browser and the web server using a secure connection, which prevents unauthorized access to the session ID.

3. Change the session ID after the user logs in. There should be an automatic log off if a session ends in use, and the client should be required to re-authenticate using a different session ID.

4. Set the HttpOnly flag for session cookies.

5. Generate long and random session cookies, which reduces the chances of an adversary guessing or predicting what a session cookie could be.

How Codesealer helps to protect from Session Hijacking Attack?

Codesealer Cover uses the dynamic protocol from Codesealer Core, to ensure that an attacker cannot initiate a session without first reverse-engineering the most recent Core instance.

As these instances are only valid for a few minutes and considering that an attacker must start all over if they did not finish the job within the validity of the instance, the attack required to instantiate a session becomes infeasible.

If that’s relevant – let’s have a chat in private or fill up a quick form and an expert from CodeSealer team will shortly get in touch: https://codesealer.com/#contact