Stack Overflow
Stack Overflow

Questions tagged [session-hijacking]

Session hijacking is a type of network security attack that relies on "guessing" the ISNs of TCP packets and taking control over communication. The attacker intercepts and retransmits messages such as the communication is still on. The attack is performed using a program which appears as a service to the client and as a client to the server.

119 questions
0
votes
1 answer

Is it possible for a hacker to impersonate a user by stealing session token and then faking the user-agent, IP and other details?

The common practice followed in authenticating and then session tracking involves using session id retrieved from the client and then comparing the user details stored in the database to match the session id, user agent details, IP etc. Now, if a…
Ano
  • 11
  • 1
  • 1
  • 6
0
votes
1 answer

Is PHP's session_regenerate_id() collision free?

I currently working on a project in PHP (7.2). I call the session_regenerate_id() function on every request to prevent session hijacking attacks, (It is a small part in the whole process of detecting an hijacked session). The question is the…
Daniel Rotnemer
  • 107
  • 3
  • 12
0
votes
1 answer

Good Method To Prevent Session Hijacking?

Scenario: Upon starting a session on my site, I generate a rand token that is shown to the user that once. Say they “store” it away for later use. I then, INSERT the md5(token) into SQL with timestamp. When the user visits other pages like login,…
Newphper
  • 43
  • 1
  • 1
  • 5
0
votes
1 answer

Is there a way to check the authenticity of the user, after changing the Session Cookie?

Steps to re-create the issue: Login with Admin Credentials and copy the session cookie. Open another browser, Login as another user, paste the session cookie of the admin. Refresh the page. Now, you'll be logged in as Admin. How to solve this…
Mathew
  • 3
  • 5
0
votes
1 answer

Form token does not match when user refreshes page

I wrote the following three functions in an attempt to prevent session Hijacking. They work. I call set_auth_token at the beginning of the script. Then in the html form I call get_auth_token. After the form has been posted I call check_auth_token.…
john mossel
  • 2,158
  • 5
  • 24
  • 39
0
votes
0 answers

Prevent session hijacking, fixation, injection, etc

I'm creating a login system and I have been reading a lot about the security measures needed to prevent session hijacking, fixation, and injection attacks, etc. I'm definitely not a security expert - I pieced together a lot of this with help from…
John
  • 473
  • 5
  • 20
0
votes
1 answer

CSP Violation error for blocked URI https://searches8704500-a.akamaihd.net

I have added CSP in my application and from last few days my CSP-report is sending mail regarding violation rule where blocked uri - https://searches8704500-a.akamaihd.net. I am not sure what is this or is this any type malicious browser hijacking…
rochak
  • 1
  • 1
0
votes
0 answers

Session Id changes in Django POST response

While doing a POST request we've noticed that the user and data were changed. in the dev tools we saw the the session_id that came back from the server was different from the request. What can cause such a behavior? we are using Django 1.6
kambi
  • 3,291
  • 10
  • 37
  • 58
0
votes
1 answer

writing a TCP connection hijacking

i wrote a script to hijack a TCP connection, using python's scapy. when testing the attack on a connection between a couple of VMs (server - xp_sp3, client - xp_sp1) i found the client port, then the server's SND.NEXT and using it the clients…
matanp
  • 9
  • 1
  • 2
0
votes
2 answers

PHP sessions set on another server

I am trying to understand sessions in php. As far as I understand in a basic login system the sessions work like this: On a page exampledomain.com/login.php: if (password_verify($_POST['user_password'], $result->password_hash)) { //write user data…
Victordb
  • 519
  • 1
  • 11
  • 25
0
votes
1 answer

Django session gets confused behind proxy, already logged in

Currently we're having some issues with a user of our product who uses a proxy on their internal network. According to their system administrator the proxy is open to port 80 and 443, and doesn't do anything with cookies and such, only blocks out…
Bennie
  • 1
  • 1
0
votes
1 answer

Prevent Session Hijacking in asp.net mvc application

How can we prevent session hijacking in an asp.net mvc application? The following steps were performed by the testers to hijack the session - OWASP A2. Login as a low-privilege user. Login as a admin user. (in a separate browser - from the same…
user6722034
0
votes
1 answer

Logged in user's session mix up in grails spring security on tomcat

I have an application in grails using spring-security for users and roles management. Since, past few days I am facing a strange issue: When one user logs in at some point the users becomes another user (session mix up). Example: User A logs in to…
Jumper
  • 103
  • 1
  • 8
0
votes
2 answers

how to prevent session hijacking from tools like burp suite in asp.net web application?

How can i prevent session hijacking in a asp.net web application from tools like burp suite? I have tried checking ipAdress and web browser details for authentication in global.asax file but not able to reach the solution.
neophyte_coder
  • 27
  • 1
  • 5
0
votes
1 answer

PHP authentication security

I build a basic php authentication system for my web project. I just want to ask is it secure because i just worried about session hijacking and sql injection issues. The code is bellow. user form field contain the user_email filed name for email…
Darshan Jadiye
  • 231
  • 3
  • 14
1 2 3 4 5
6
7 8