What’s a Session?
To understand Session Hijacking we start with a brief introduction of session. In computer science and IT session refers to a time frame of communication between two devices, systems or time shared between a user and a computer (server). Sessions have two kinds; user initiated or technology initiated. The user initiated session is like the online chatting between two computers. In user initiated session the users start and terminate the session. The technology initiated sessions are like those of sending emails in which the communication is between a computer and a server.
Every time you open up a browser a session is created and with closing it the session is terminated. Each session is provided by a session ID that is a number assigned to the session by the website’s server. As you start a session a session ID is generated. In case there is inactivity, the session ID terminates and the session renews with a new session ID. Session ID’s are saved as cookies (Cookie Hijacking) or URL.
Session IDs typically are not secure for web browsing. Hackers can intercept the communication through stealing or predicting an authorized session ID. Once the attackers get the session ID they can pretend they are the user and can make all the actions the users of that website are allowed. There are four main methods of Session Hijacking as follows.
1. Session Fixation
In session fixation the hacker creates a session ID and can send it as an link to an email and wait for the user to open the email and click on the link.
2. Session Side Jacking
Most websites only secure the login pages to prevent hackers to have access to the usernames and passwords. The hackers can intercept the traffic network and monitor the data that includes the cookie data. Session Sniffing is similar to this method, in which the attacker uses a sniffer of some sort like a proxy to capture network traffic.
3. Cross-site Scripting
Malwares can steal browsers’ cookies without sounding an alarm. Malware is any software that is there to harm data or services. They can do actions like installing other programs or apps without the users’ content and knowledge.
How to Prevent Session Hijacking
Encryption of the data between different parties by SSL is one way of preventing the session hijacking. It stops all sniffing-style attacks but still is not a complete way to block out all attacks.
- Session ID regeneration
The other way to stop attackers, especially in session fixation method, is to regenerate the session ID after successfully logging in. This way the rest of the communication has a new session ID that the attacker does not know about.
- Lengthy Session Keys & Double Checks
Using randomly lengthy numbers for the session key reduces the risk of prediction from the attacker. On the other hand some services use double checks for the users’ identity. They check if the IP address of the user matches with the one in the last session.
- Change Cookie Value
Another way is to change the value of the cookie. However, this does not prevent the hacker from hijacking the session but give them very small window of opportunity.