What is session Hijacking?

Web-based applications frequently use sessions to provide a friendly environment to their users. HTTP is a stateless protocol, which means that it provides no
integrated way for a web server to maintain states throughout user’s subsequent
requests. In order to overcome this problem, web servers – or sometimes web
applications – implement various kinds of session management. The basic idea behind web session management is that the server generates a session identifier (ID) at some early point in user interaction, sends this ID to the user’s browser and makes sure that this same ID will be sent back by the browser along with each subsequent request. Session IDs thereby become identification tokens for users, and servers can use them to maintain session data (e.g., variables) and create a session-like experience to the users.

There are three widely used methods for maintaining sessions in web environment: URL arguments, hidden form fields and cookies. While each of them has its benefits and shortcomings, cookies have proven to be the most convenient and also the least insecure of the three. From security perspective, most – if not all - known attacks against cookie-based session maintenance schemes can also be used against URL- or hidden form fields-based schemes, while the converse is not true. This makes cookies the best choice security-wise.

Very often, session IDs are not only identification tokens, but also authenticators. This means that upon login, users are authenticated based on their credentials (e.g., usernames/passwords or digital certificates) and issued session IDs that will
effectively serve as temporary static passwords for accessing their sessions.

This makes session IDs a very appealing target for attackers. In many cases, an
attacker who manages to obtain a valid ID of user’s session can use it to directly enter that session – often without arising user’s suspicion. Interestingly, most cross-site scripting proof-of-concept exploits focus on obtaining the session ID stored in browser’s cookie storage. This class of attacks, where the attacker gains access to the user’s session by obtaining his session ID, is called session hijacking.

Web session security is focused on preventing three types of attacks against session IDs: interception, prediction and brute-force attacks. Encrypted communication effectively protects against interception1. Using cryptographically strong pseudorandom number generators and carefully chosen seeds that don’t leak from the server prevents prediction of session IDs. Finally, session IDs are immune to brute-force methods if their effective bit-length is large enough with respect to the number of simultaneous sessions.

Proposals have been made for mitigating the threat of stolen session IDs, and
some products already implement such ideas (e.g., RSA Security’s ACE/Agents for
web servers).