Session hijacking is a type of network security attack that relies on "guessing" the ISNs of TCP packets and taking control over communication. The attacker intercepts and retransmits messages such as the communication is still on. The attack is performed using a program which appears as a service to the client and as a client to the server.
Questions tagged [session-hijacking]
119 questions
6
votes
2 answers
PHP Checking User Agent and IP To Prevent Session Hijacking
I'm trying to figure out how to prevent session hijacking. Here's what I was thinking of doing:
Along with the user id session, add a user agent and user IP session too. Every time a page is loaded, these sessions will be checked to see if they…
user870283
5
votes
1 answer
Unintentional Session Hijacking in Rails 4.2.4 (Devise / Warden), Phusion Passenger 5.0.24
Background Details
We recently encountered a problem wherein User A could unintentionally hijack the session of User B who was trying to access a Controller-generated download at (nearly) the same time as User A.
We are still not 100% certain of all…
aldefouw
- 533
- 1
- 4
- 12
4
votes
1 answer
Accessing Facebook cookies in browser
When I type in javascript:alert(document.cookie) in the URL bar, I only get to see some cookies which facebook has set for my account.
I think this is because the other cookies are http only.
First question: Is this true? Are some Facebook cookies…
Zer0
- 2,171
- 3
- 17
- 18
4
votes
9 answers
PHP Sessions + Useragent with salt
It keeps running in my mind the last couple of days, but I read some articles about how to make your PHP sessions more secure. Almost all of these articles say that you need to save the useragent in the session WITH an additional salt. Something…
Scee
- 141
- 1
- 2
- 4
4
votes
5 answers
Stealing session id cookies - counter measures
It is easy to steal session id cookies with javascript functions planted in trusted sites by other users. What are the possible counter-measures for this kind of attack?
Rejecting all javascript scripts on the client-side is probably difficult…
paweloque
- 18,466
- 26
- 80
- 136
4
votes
1 answer
Spring Security cookies after user logs in and Session Hijacking
As far as I understand, when the user logs in Spring Security invalidate the Session and creates a new one. So if I come from http with a clear sessionID cookie Spring Security should set a new sessionID 'secure' cookie that will be send back by the…
mickthompson
- 5,442
- 11
- 47
- 59
4
votes
2 answers
Jeff Prosise's session hijack blog - any updates?
I'm looking to prevent session hijacking in my ASP.NET application and came across this great post by Jeff Prosise. However, it's from 2004 and I was wondering if there have been any updates that either perform the same thing, or result in any…
keyboardP
- 68,824
- 13
- 156
- 205
3
votes
2 answers
PHP Protecting from Session Fixation/Hijacking
I'm maintaining a low-traffic shop website that stores credit card numbers in the database. This isn't right (or even legal I believe), so I'm changing the way the numbers are stored.
The way the site is structured, the credit card information…
Nick Rolando
- 25,879
- 13
- 79
- 119
3
votes
1 answer
web.xml error when using 'HttpOnly' and 'Secure' attributes
I want to make my JSF application less vulnerable to session
hijacking. So I have added the following code to the web.xml file.
60
…
Buddhika Ariyaratne
- 2,339
- 6
- 51
- 88
3
votes
1 answer
Using Timestamps to Prevent Session Hijacking?
I have been looking at ways to guard against session-hijacking, where someone steals a session cookie and uses it to gain access to the system.
Programs such as http://codebutler.com/firesheep make it easy to sniff sessions on open Wireless…
espeed
- 4,754
- 2
- 39
- 51
3
votes
1 answer
Fortify JavaScript Hijacking: Vulnerable Framework aspx using Jquery Ajax
I am working on a legacy system, we just scanned it with HP Fortify and got
JavaScript Hijacking: Vulnerable Framework, the code is below.
What Can I do to secure this? I am not entirely understanding the issue.
function…
China Syndrome
- 953
- 12
- 24
3
votes
5 answers
How Easy Is It to Hijack Session Vars on GoDaddy (PHP)
This article states that
If your site is run on a shared Web
server, be aware that any session
variables can easily be viewed by any
other users on the same server.
On a larger host like GoDaddy, are there really no protections in place…
Dan Rosenstark
- 68,471
- 58
- 283
- 421
3
votes
1 answer
Session hijacking counter measures in ASP.NET
I want to implement measures to prevent/mitigate session hijacking. Thus, I want to know the options, either from built-in ASP.NET or custom components.
Please note that session hijacking refers to Forms Auth session and Session State.
My ASP.NET…
Pingpong
- 7,681
- 21
- 83
- 209
3
votes
2 answers
Can Sessions be manipulated by the user clientside?
Background story: We run a website with thousands of users and a handful of admins. Some of these admins don't need all-access to the website, so I want to restrict their access by giving them individual permissions.
My plan is to set a Session on…
KlaasJan
- 193
- 2
- 12
3
votes
2 answers
Of HttpOnly and document.cookie
Searching for possible ways to get cookie with httpOnly enabled, I cannot find any. But then again, how do browser addons like Firebug, Add 'N Edit Cookie, etc. can get the cookies? Can't an attacker do the same?
So my question is, is it really,…
syaz
- 2,659
- 6
- 36
- 44