Stack Overflow
Stack Overflow

Questions tagged [session-hijacking]

Session hijacking is a type of network security attack that relies on "guessing" the ISNs of TCP packets and taking control over communication. The attacker intercepts and retransmits messages such as the communication is still on. The attack is performed using a program which appears as a service to the client and as a client to the server.

119 questions
1
vote
1 answer

Prevent session cookie hijacking WITHOUT SSL

To prevent session hijacking, i tried to assign a specific cookie name to each user based on these variables: User-agent and IP Address. I have used following function to generate session cookie name which holds session ID. static function…
zxcmehran
  • 1,435
  • 14
  • 24
1
vote
4 answers

Storing the user Password (serverside), connecting it to a cookie - security Issues

I'm trying to find a secure Solution to a Problem I have concerning Cookies / Sessions and DB Data. I already read trough different articles like http://www.devshed.com/c/a/PHP/Sessions-and-Cookies/ that explain different Cookie theft and Session…
Katai
  • 2,773
  • 3
  • 31
  • 45
1
vote
1 answer

Preventing facebook session hijacking

I'm building a financial services web application and my company wants to incorporate facebook authentication into it. Because we're in the finance world, security is paramount. I'm using the facebook PHP SDK for integration, but I'm really…
user1387983
  • 11
  • 1
1
vote
2 answers

asp.net membership LoginStatus control needs codes?

I'm using loginStatus control to let my users to logout . I write no more codes for logout process ( no session removing , deleting cookies or redirecting user ) , just rely on the control's build-in code. now I wonder if it is enough to put a…
mohsen dorparasti
  • 8,107
  • 7
  • 41
  • 61
0
votes
1 answer

Pass HTTP session for third party site from server to client

Let's say my web app is acting on behalf of users who give their credentials to my app so the app can make API calls to a third party service. Incidentally, this is for posting product offers to this third party site (bit like eBay, but on a smaller…
Lumi
  • 14,775
  • 8
  • 59
  • 92
0
votes
3 answers

PHP session hijack

Possible Duplicate: PHP Session Fixation / Hijacking I've been using $_SESSION superglobal a lot and heavily. However the situation is like this: Once the user is logged I want to keep track of his ID(MySQL table). I can easily insert the id…
lukas.pukenis
  • 13,057
  • 12
  • 47
  • 81
0
votes
1 answer

Trying to understand CakePHP cookies & authentication

I'm trying to figure out CakePHP cookies and meet my slightly unusual authentication requirements. I have a CakePHP-based data collection system that is now being integrated with a reporting system built with COTS software. The reporting system…
tomfumb
  • 3,669
  • 3
  • 34
  • 50
0
votes
2 answers

Session Management and Security

This is my current session management: if(!isset($_SESSION["user"]["authenticated"]) || !$_SESSION["user"]["authenticated"]) redirect("login.php"); if($_SESSION["user"]["browserHash"] != md5($_SERVER["HTTP_USER_AGENT"])) …
Rolando Cruz
  • 2,834
  • 1
  • 16
  • 24
0
votes
0 answers

Session Hijacking over LAN

I've been doing a lot of research regarding sesion hijacking and I'm concerned at the number of codebases which seem to have poor implementations of defence against this. I feel I have a good understanding now at how to prevent this, such…
Chris98
  • 567
  • 1
  • 4
  • 16
0
votes
0 answers

Session hijacking: How to prevent access to web app when JSESSIONID cookie copied from one browser to another?

I have developed a web application in Java Spring Boot. After login to the web application JSESSIONID is stored in browser cookies, now when I copy this cookie details from my current browser and create same cookie in some other browser then I'm…
Sushil
  • 533
  • 2
  • 8
  • 28
0
votes
0 answers

Is Setting A $_SESSION Value That Is The Same As A GET Parameter A Security Risk - PHP?

I've seen a PHP security tutorial where it says never to accept $_SESSION identifiers from GET or POST variables due to session hijacking and fixation. It annoyingly doesn't go into any real detail on this though. In an application I'm building I…
pjk_ok
  • 618
  • 7
  • 35
  • 90
0
votes
0 answers

Is session hijacking possible using same system and same browser?

Basically, I have two questions A. Is session hijacking possible with the same system but two new instances of the browsers (eg. 1.New Window and 2.Incognito)? If Yes, then how could I prevent session hijacking in this scenario? What I have tried is…
Vaibhav Deshmukh
  • 183
  • 1
  • 11
0
votes
0 answers

Avoid session hijack within my own website

I recently created a small website where users can sign-in (session is stored as a cookie with the flag HttpOnly). Users can create and upload their own files and share some of them with their friends/colleagues or even make them completely…
John_Oliveoil
  • 1
0
votes
0 answers

How can I make a website more secured with a nodejs backend and reactjs frontend & mongodb as a database

I am making a social media project and I am using JWT tokens for authentication, I am worried if my JWT token can be stolen away from my user's browser and can be used for malicious purpose.
Nikhil
  • 331
  • 1
  • 2
  • 8
0
votes
2 answers

can we avoid session hijacking using spring security?

We are using apache tomcat as a server for our Spring MVC based web application. If a user has been logged in from a browser let's say chrome, and we copied its JSESSIONID and pasted into another browser let's say Firefox, and then we are able to…
Navnath
  • 9
  • 7
1 2 3 4
5
6 7 8