Session Hijacking

---

Session hijacking is a type of spoofing attack where the attacker disconnects a host then replaces it with his or her own machine, spoofing the original host’s IP address.

• in the context of web apps, session hijacking usually means exploiting a cookie
  • attacker may use a fixed session ID and send that to a target
  •  If the target enters the session (usually under false pretenses),
    • the attacker has access to the session
  • Normally a cookie can only be used by the server or domain that created it
    • but this can be subverted by a cross-site scripting attack
  • can sniff network traffic to obtain session cookies sent over an unsecured network
  • To counter cookie hijacking:
    • encrypt cookies during transmission
    • delete cookies from the client’s browser cache when the client terminates the session
    • design web app to deliver a new cookie with each new session between the app and the client’s browser