http://www.geeksforgeeks.org/session-hijacking/
What is session ID? - Definition from WhatIs.com
A session ID is a unique number that a Web site's server assigns a specific user for the duration of that user's visit (session). The session ID can be stored as a cookie, form field, or URL (Uniform Resource Locator).
Session IDs, in their conventional form, do not offer secure Web browsing. Skilled hackers can acquire session IDs (a process called session prediction), and then masquerade as authorized users in a form of attack known as session hijacking.
The session ID can also provide automatic authentication for future visits to that site or associated sites. If a cracker obtains session ID data, he can conduct an attack, such as session hijacking or session replay.https://en.wikipedia.org/wiki/Session_ID
As session IDs are often used to identify a user that has logged into a website, they can be used by an attacker to hijack the session and obtain potential privileges. A session ID is often a long, randomly generated string to decrease the probability of obtaining a valid one by means of a brute-force search. Many servers perform additional verification of the client, in case the attacker has obtained the session ID.
A session token is a unique identifier, usually in the form of a hash generated by a hash function that is generated and sent from a server to a clientto identify the current interaction session. The client usually stores and sends the token as an HTTP cookie and/or sends it as a parameter in GETor POST queries. The reason to use session tokens is that the client only has to handle the identifier (a small piece of data which is otherwise meaningless and thus presents minimal security risk) - all session data is stored on the server (usually in a database, to which the client does not have direct access) linked to that identifier.
JSESSIONID (Java EE), PHPSESSID (PHP), and ASPSESSIONID (Microsoft ASP)
http://www.shuatiblog.com/blog/2014/08/28/Http-cookie/
Types of HTTP Cookie
Session cookie
Persistent cookie
Max-age 1 year. The value set in that cookie would be sent back to the server every time the user visited the server. Also called tracking cookies
Secure cookie
The secure attribute is enabled, and is only used via HTTPS.
Third-party cookie
First-party cookies are cookies that belong to the same domain that is shown in the browser’s address bar. Third-party cookies are cookies that belong to domains different from the one shown in the address bar.
It opens up the potential for tracking the user’s browsing history.
Nowadays ther’e a new kind of HttpOnly cookie (used only when transmitting HTTP (or HTTPS) requests, thus restricting access from other, non-HTTP APIs such as JavaScript).
https://en.wikipedia.org/wiki/Session_hijacking
Session sidejacking
How to get the IP address when a session is created?
http://stackoverflow.com/questions/30115960/does-a-java-session-httpsession-validate-ip-addresses
Unpredictability
SSL Is Important
Another, less draconian, method is to set the cookie as “secure”. This ensures the cookie itself will only be transmitted over an SSL connection.
Sessions Should End
a sign out button should be easy to find on every page of your application. Make it easy for users to destroy their session when they want to.
HTTP Only
There are several cross site scripting (XSS) attacks aimed at stealing session cookies. Setting the cookie’s HttpOnly attribute prevents the cookie from being transmitted via scripts, greatly reducing the risk of XSS.
cookies.signed[:secure_session] = {httponly: true, value: "#{user.salt}#{user.id}"}
Restrict The Domain(and path)
If the attribute is not explicitly set, the default value is set to only allow the cookie to be sent to the origin server. If the application requires a broader set of permissions, it can be accomplished by specifying the domain attribute upon cookie creation.
Read full article from What is session ID? - Definition from WhatIs.com
What is session ID? - Definition from WhatIs.com
A session ID is a unique number that a Web site's server assigns a specific user for the duration of that user's visit (session). The session ID can be stored as a cookie, form field, or URL (Uniform Resource Locator).
Session IDs, in their conventional form, do not offer secure Web browsing. Skilled hackers can acquire session IDs (a process called session prediction), and then masquerade as authorized users in a form of attack known as session hijacking.
The session ID can also provide automatic authentication for future visits to that site or associated sites. If a cracker obtains session ID data, he can conduct an attack, such as session hijacking or session replay.https://en.wikipedia.org/wiki/Session_ID
As session IDs are often used to identify a user that has logged into a website, they can be used by an attacker to hijack the session and obtain potential privileges. A session ID is often a long, randomly generated string to decrease the probability of obtaining a valid one by means of a brute-force search. Many servers perform additional verification of the client, in case the attacker has obtained the session ID.
A session token is a unique identifier, usually in the form of a hash generated by a hash function that is generated and sent from a server to a clientto identify the current interaction session. The client usually stores and sends the token as an HTTP cookie and/or sends it as a parameter in GETor POST queries. The reason to use session tokens is that the client only has to handle the identifier (a small piece of data which is otherwise meaningless and thus presents minimal security risk) - all session data is stored on the server (usually in a database, to which the client does not have direct access) linked to that identifier.
JSESSIONID (Java EE), PHPSESSID (PHP), and ASPSESSIONID (Microsoft ASP)
http://www.shuatiblog.com/blog/2014/08/28/Http-cookie/
Types of HTTP Cookie
Session cookie
Persistent cookie
Max-age 1 year. The value set in that cookie would be sent back to the server every time the user visited the server. Also called tracking cookies
Secure cookie
The secure attribute is enabled, and is only used via HTTPS.
Third-party cookie
First-party cookies are cookies that belong to the same domain that is shown in the browser’s address bar. Third-party cookies are cookies that belong to domains different from the one shown in the address bar.
It opens up the potential for tracking the user’s browsing history.
Nowadays ther’e a new kind of HttpOnly cookie (used only when transmitting HTTP (or HTTPS) requests, thus restricting access from other, non-HTTP APIs such as JavaScript).
https://en.wikipedia.org/wiki/Session_hijacking
- Use of a long random number or string as the session key. This reduces the risk that an attacker could simply guess a valid session key through trial and error or brute force attacks.
- Regenerating the session id after a successful login. This prevents session fixation because the attacker does not know the session id of the user after s/he has logged in.
- Some services make secondary checks against the identity of the user. For example, a web server could check with each request made that the IP address of the user matched the one last used during that session. This does not prevent attacks by somebody who shares the same IP address, however, and could be frustrating for users whose IP address is liable to change during a browsing session.
Session sidejacking
- SSL only for login page: Of course if there is no SSL then the credentials too would be gone (forget about cookies!), but there are some developers who use SSL for the login page alone, assuming that the credentials are transported safely. But once the user is authenticated, it is the cookies (that go with each request) that identify him. All the requests that are done after logging in contain cookies, and if they are not protected with SSL, the session can be easily hijacked. Thus the password may not be stolen, but the session can be hijacked.
- Single URL is enough to hijack a user.
Session fixation
Session fixation is an attack where the attacker fixes the session in advance and just waits for the user to login in order to hijack it. This is very much applicable to the SIDs in the URL scenario. If the application associates a user with an incoming SID without checking if it is generated by the server, then this attack is possible.
Generating cookies before authentication
Cookies are supposed to be generated (or at least changed) after successful authentication. If the same cookie which is generated before authentication is used after authentication, then session hijacking is possible, as explained here with a simple example.
Predictable session IDsHow to get the IP address when a session is created?
you can access the RequestContextHolder and get the value
String ipAddr = ((ServletRequestAttributes)RequestContextHolder.currentRequestAttributes())
.getRequest().getRemoteAddr();http://stackoverflow.com/questions/30115960/does-a-java-session-httpsession-validate-ip-addresses
When a session is created for a user,
- a session id is created on server side.
- This session id is sent to the browser who sent the request
- this id is stored in a cookie called JSESSIONID
- Browser sends this cookies for subsequent request
- Server knows the session id on server side and validates with the one in cookies
- ip address is not checked for subsequent request. Session is identified using jsessionid
Unpredictability
SSL Is Important
Another, less draconian, method is to set the cookie as “secure”. This ensures the cookie itself will only be transmitted over an SSL connection.
Sessions Should End
a sign out button should be easy to find on every page of your application. Make it easy for users to destroy their session when they want to.
HTTP Only
There are several cross site scripting (XSS) attacks aimed at stealing session cookies. Setting the cookie’s HttpOnly attribute prevents the cookie from being transmitted via scripts, greatly reducing the risk of XSS.
cookies.signed[:secure_session] = {httponly: true, value: "#{user.salt}#{user.id}"}
Restrict The Domain(and path)
If the attribute is not explicitly set, the default value is set to only allow the cookie to be sent to the origin server. If the application requires a broader set of permissions, it can be accomplished by specifying the domain attribute upon cookie creation.
Read full article from What is session ID? - Definition from WhatIs.com
