Session Prediction Attack
Session prediction attacks focus on identifying possible weaknesses in the generation of session tokens that will enable an attacker to predict future valid session values.
- If an attacker can predict the session token,
- then can take over a session that has yet to be established
- session token must:
- be generated using a non-predictable algorithm
- not reveal any information about the session client
- proper session management dictates that apps:
- limit the lifespan of a session
- require reauthentication after a certain period