Session Hijacking

Security+ 🏆 • Web Security 🕸️ • Threats ⚠️ • Difficulty: free

Definition

Session hijacking is when an attacker takes over a user’s active session by stealing or abusing session identifiers such as cookies or tokens. Instead of logging in with the user’s password, the attacker uses the stolen session data to impersonate the user and access the same applications and permissions.

Examples

An attacker steals a session cookie over an insecure connection and uses it to access the victim’s webmail without knowing the password.
Malware on a device extracts browser session tokens and reuses them to access cloud services.

Discover 🔎

Most web applications keep you logged in by using a session. After you authenticate, the application gives your browser a token that proves you already logged in. That makes life convenient, but it also creates a target. If an attacker can steal that token, they may not need your password at all. They can simply become you, at least for as long as the session stays valid.

Remember: Passwords start sessions. Tokens maintain sessions. Session hijacking targets the token, not the password.

Open the interactive lesson Browse more topics

Tip: The interactive version includes progress tracking, decks, and premium deep dives.