Sergey Nivens - Fotolia


Session hijacking prevention tips you should know

Session hijacking prevention means putting into motion techniques that will help you guard your network. This is what you need to know to learn how to prevent session hijacking.

Session hijacking is one of the most common web security threats. It is easy to launch if proper defenses are not...

used, and it can be difficult to detect. It's important, therefore, to take the proper pre-emptive steps to keep sessions safe, especially within the application layer, which is where primary attack vectors exist.

In attempting to hijack a session, the attacker's objective is simple: to steal, predict or reuse a session token. To prevent this from happening, you need to understand session hijacking prevention. Popular culprits are session sniffing, predictable session token ID, man in the browser, client-side and session fixation.

Session sniffing

Session sniffing is one of the most basic techniques used with application layer session hijacking. The attacker uses a sniffer, such as Wireshark, or a proxy, such as OWASP Zed, to capture network traffic -- containing the session ID -- traveling from a website to a client. Several common formats are shown here:




Notice how the JSESSIONID is set to a value of 1WRAuUyubAmxaGvtxbGuO4RfNjN1R3. If the attacker can capture this value, he can use this valid token to gain unauthorized access.

Session prediction

Many web servers use a custom algorithm or predefined pattern to generate session IDs. The greater the predictability of a session token, the weaker it is and the easier it is to predict. If the attacker can capture several IDs and analyze the pattern, he may be able to predict a valid session ID. For example, suppose you were able to capture one ID as follows:


This may look somewhat secure and sufficiently long and complex enough to ensure session hijacking prevention. However, if you can capture several session tokens, patterns in their value may become evident, as shown here:






Upon discovering this sequence, an attacker can easily predict a valid session ID and use it to gain access to a victim's account.

Man in the browser

A man-in-the-browser attack is similar to a man-in-the-middle attack, but the attacker must first infect the victim's computer with a Trojan. The attacker usually gets the malware onto the victim's computer through some form of trickery or deceit. For example, the victim may have been asked to install some plug-in to watch a video, update a program or install a screensaver. Once the victim is tricked into installing malware onto her system, the malware waits for the victim to visit a targeted site. The man-in-the-browser malware can invisibly modify transaction information, like the amount or destination. It can also create additional transactions without the user knowing. Because the requests are initiated from the victim's computer, it is very difficult for the web service to detect that the requests are fake.


Whereas session sniffing seeks to grab a session ID as it's transmitted across a network, these feature client-side attacks targeting end users. The idea is to extract session IDs stored on the victim's system or to use these tokens for the attackers benefit. Client-side attacks can include cross-site scripting (XSS), cross-site request forgery (CSRF) and malicious JavaScript codes. XSS enables attackers to inject malicious client-side scripts into the webpages accessed by others. CSRF occurs when a victim is logged into a legitimate site and a malicious site at the same time. It allows the attacker to exploit the active session the victim has with a trusted site. Malicious JavaScript can be hidden by obfuscating code. Each form of mobile code has a different security model and configuration management process, increasing the complexity of securing mobile code hosts and the code itself. Some of the most common forms of mobile code are JavaScript; however, Java applets, ActiveX and Flash can also be targets of client-side attacks.

Session fixation

Session fixation attacks work by stealing a valid session ID that has yet to be authenticated. Then, the attacker tries to trick the user into authenticating with this ID. Once authenticated, the attacker now has access to the victim's computer. Session fixation explores a limitation in the way the web application manages a session ID. Three common variations exist: session tokens hidden in an URL argument, session tokens hidden in a form field and session tokens hidden in a session cookie.

Session hijacking prevention and its benefits

What's important to remember is it's possible for an attacker to steal and reuse session identifiers or other sensitive cookie values when they're stored or transmitted insecurely.

What's important to remember when learning how to prevent session hijacking and other attacks is it's possible for an attacker to steal and reuse session identifiers or other sensitive cookie values when they're stored or transmitted insecurely. While providing 100% protection can be difficult, encryption is the main defense. When a user authenticates, Secure Sockets Layer and a secure cookie should be mandatory. When authenticated users visit one or more secure pages, they should continue to be forced to use HTTPS with Secure and HttpOnly flags set on sensitive session cookies. The session ID should be a random value that cannot be easily predicted.

Sometimes, the session IDs are obscured via hex, Unicode or some other type of encoding, which is a poor practice and should be avoided. Security by obscurity never works. Short session timeouts should be enforced to mitigate risk. Controls should be used to block multiple sessions under the same account and never validate the client by just the IP address. Verify the token -- generated upon login, which should be stored with the user's ID session in the database -- matches. Finally, the HTTP_USER_AGENT should also be verified to make sure it has not changed. Hijacking attacks are dangerous and can give attackers an authenticated connection, which could allow them to gain greater access. Session hijacking prevention becomes more critical as these attacks become more elaborate.

Next Steps

How to prevent session hijacking and how it works without passwords

How the Forbidden attack targets HTTPS sessions

How IP address hijacking works

This was last published in August 2017

Dig Deeper on Network Security Best Practices and Products