butterfly/kb
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
e206bfafb2
kb/data/developer.mozilla.org/en-US/docs/Glossary/Session_Hijacking-0.md

12 KiB
Raw Blame History

title chunk source category tags date_saved instance
Session hijacking - Glossary | MDN 1/3 https://developer.mozilla.org/en-US/docs/Glossary/Session_Hijacking reference web, html, css, javascript, documentation 2026-05-05T05:45:06.044734+00:00 kb-cron

MDN HTML HTML: Markup language

HTML reference

HTML guides

Markup languages

CSS CSS: Styling language

CSS reference

CSS guides

Layout cookbook

JavaScriptJS JavaScript: Scripting language

JS reference

JS guides

Web APIs Web APIs: Programming interfaces

Web API reference

Web API guides

All All web technology

Technologies

Topics

Learn Learn web development

Frontend developer course

Learn HTML

Learn CSS

Learn JavaScript

Tools Discover our tools

About Get to know MDN better

Blog

  1. Glossary
  2. Session hijacking

Session hijacking

Session hijacking occurs when an attacker takes over a valid session between two computers. The attacker steals a valid session ID in order to break into the system and snoop data. Most authentication occurs only at the start of a TCP session. In TCP session hijacking, an attacker gains access by taking over a TCP session between two machines in mid session. The attacker sniffs and accesses a legitimate session id from a user interacting with a web server, then uses that session identifier to spoof the session between the regular user and the server to exploit the user's session and access the server directly.

In this article

Session hijacking occurs because

  • no account lockout for invalid session IDs
  • weak session-ID generation algorithm
  • insecure handling
  • indefinite session expiration time
  • short session IDs
  • transmission in plain text

Session hijacking process

  1. Sniff , that is perform a man-in-the-middle (MITM) attack, place yourself between victim and server.
  2. Monitor packets flowing between server and user.
  3. Break the victim machine's connection.
  4. Take control of the session.
  5. Inject new packets to the server using the Victim's Session ID.

Protection against session hijacking

  • create a secure communication channel with SSH (secure shell)
  • pass authentication cookies over HTTPS connection
  • implement logout functionality so the user can end the session
  • generate the session ID after successful login
  • pass encrypted data between the users and the web server
  • use a string or long random number as a session key

See also