Glossary of Security Terms: Session Hijacking

• no account lockout for invalid session IDs
• weak session-ID generation algorithm
• insecure handling
• indefinite session expiration time
• short session IDs
• transmission in plain text

1. Sniff, that is perform a man-in-the-middle (MITM) attack, place yourself between victim and server.
2. Monitor packets flowing between server and user.
3. Break the victim machine's connection.
4. Take control of the session.
5. Inject new packets to the server using the Victim's Session ID.

• create a secure communication channel with SSH (secure shell)
• pass authentication cookies over HTTPS connection
• implement logout functionality so the user can end the session
• generate the session ID after successful login
• pass encrypted data between the users and the web server
• use a string or long random number as a session key

Learn more

• Session hijacking on Wikipedia

View Previous Terms:

• Block cipher mode of operation
• Certificate authority
• Challenge-response authentication
• Cipher
• Cipher suite
• Ciphertext
• CORS
• CORS-safelisted request header
• CORS-safelisted response header
• Cross-site scripting
• Cryptanalysis
• Cryptographic hash function
• Cryptography
• CSP
• CSRF
• Decryption
• Digital certificate
• DTLS (Datagram Transport Layer Security)
• Encryption
• Forbidden header name
• Forbidden response header name
• Hash
• HMAC
• HPKP
• HSTS
• HTTPS
• Key
• MitM
• OWASP
• Preflight request
• Public-key cryptography
• Reporting directive
• Robots.txt
• Same-origin policy
• SQL Injection
• Symmetric-key cryptography
• TOFU
• Transport Layer Security (TLS)

Credits

• Source: https://developer.mozilla.org/en-US/docs/Glossary/Session_hijacking
• Published under Open CC Attribution ShareAlike 3.0 license