Session hijacking is a type of network security attack that relies on "guessing" the ISNs of TCP packets and taking control over communication. The attacker intercepts and retransmits messages such as the communication is still on. The attack is performed using a program which appears as a service to the client and as a client to the server.
Questions tagged [session-hijacking]
119 questions
2
votes
1 answer
Using Socket.IO, to prevent client-side hijacking when sending JavaScript events - use SignalR?
Using Socket.IO, clients are notified when other clients perform certain activities, through a JavaScript call to the Socket.IO server.
That message is broadcast to all clients, and client-side logic decides who sees the notification. (Another…
ElHaix
- 12,846
- 27
- 115
- 203
2
votes
1 answer
Implementing Session Hijacking prevention, properly
I am pretty new to Web Development and I read about CSRF, XSS, and Session Hijacking. One proposed solution is to simply use a nonce to check the validity of requests. I wrote this script in PHP to prevent session hijacking. I think it is similar in…
Rolando Cruz
- 2,834
- 1
- 16
- 24
2
votes
3 answers
PHP Session Security Question
I was doing some research on StackOverflow on how to properly set sessions and prevent hijacking, etc. I found an answer that someone posted on one of the questions and he provided the following code:
For when a user logs in and the username and…
Drew
- 6,736
- 17
- 64
- 96
2
votes
0 answers
Laravel Session Hijacking issue
We have a web application running on Laravel 5.4. We have given this Website to an auditing service to check the vulnerabilities. Their report says that There is threat of Session Hijacking. In the report, They have mentioned below threat.
THREAT:…
Naroju
- 2,637
- 4
- 25
- 44
2
votes
0 answers
Unwanted Session duplication in Django
We're using cached_db as our SESSION_ENGINE.
We have a session duplication issue, this is the scenario:
User 1 is browsing the system.
User 2 is browsing and modifying his session.
User 1 continuing browsing and finds that his session changed to…
kambi
- 3,291
- 10
- 37
- 58
2
votes
1 answer
crossdomain.xml and security issues
I read a lot about cross-site scripting with Flash, Javascript etc. and also found several lists with websites that have a crossdomain.xml that allows access from any server. For example flickr.com trusts all domains.
Can somebody explain me why…
Bob
- 999
- 1
- 9
- 12
2
votes
1 answer
Is this a secure authentication system for an ajax-driven app?
I apologize ahead of time, becuase I'm neither great at explaining things nor flow charts. This is not a specific code problem, but a general question on session security.
I'm trying to eliminate as many potential problems as possible at once. I…
Greg
- 7,782
- 7
- 43
- 69
2
votes
3 answers
Session hijacking countering methods
It is pretty apparent that most of us PHP programmers don't want our published work to be hacked or exploited in ways we did not intend. I am therefore extra careful when asking about ways to counter session hijacking. I know there is the…
Alien13
- 558
- 3
- 8
- 30
2
votes
1 answer
How can I hijack an opened browser session and attach it to the Webdriver than opening a browser by itself
When using Selenium webDriver, I always have to initiate the driver and open a browser, navigate all the way through the flow to validate something, and if it failed throwing an exception, has to do the same spending lot of time.
Always thought of…
Niroshen Landerz
- 21
- 2
2
votes
3 answers
I think my PHP app is being session hijacked?
I have a php site that lets registered users login (with a valid passord) and sets up a session based on their UserID. However I'm pretty sure thisis being hijacked and I've found "new" files on my server I didn't put there. My site cleans all user…
Mark Sandman
- 21
- 1
2
votes
2 answers
Session Identifier Not Updated risk, real vulnerability or just false positive risk?
In a recent security scan using IBM AppScan in one of our ASP.NET applications, the following medium vulnerability is reported
Session Identifier Not Updated
Severity: Medium
Risk: It is possible to steal or manipulate customer session and cookies,…
Ahmed Atia
- 17,848
- 25
- 91
- 133
2
votes
1 answer
PHP is allowing old Session ID's to be used without changing them which allows Sessions to be easily Hijacked. How to fix?
On one of my sites, I have ini_set('session.use_trans_sid', 1) set which allows users with no Cookies to use the site. It does this be keeping track of the Session via the URL.
However, I'm experiencing a serious security issue that is allowing…
ProgrammerGirl
- 3,157
- 7
- 45
- 82
2
votes
2 answers
Protect authenticated PHP session from Session Hijacking through packet sniffing
I am interested in the subject of securing PHP sessions, without the use of SSL.
For my surprise, if a man-in-the-middle sniffs the packets exchanged between the user and the server it is very easy to steal the session, even if it is authenticated…
Leaurus
- 376
- 3
- 13
1
vote
3 answers
PHP Session - Multiple Users With 1 IP
On Monday, I thought I had solved the session hijacking security issue by setting the session as the user IP, until I logged in. I had two users with the same IP (myself and a test user) and it kept switching between the two. Is there a way to…
user870283
1
vote
2 answers
Is Forms Authentication more secure than storing user identity in ASP.NET_session (session hijacking)
From what I understand about the way session hijacking works I don't see any advantage that Forms Authentication has over storing user authentication info in the ASP.NET session. Both Forms Authentication and ASP.NET session use cookies that are…
enamrik
- 2,292
- 2
- 27
- 42