Prevention from Session Hijacking

Session hijacking is a technique that involves intercepting a TCP session initiated between two machines in order to hijack it.The term session hijacking refers to the exploitation of a valid computer session .The Session's most important part is its session key . A exploiter or hacker usually exploits this session related data to gain unauthorized access to information or services in a computer system. This technique is used steal the cookies from a target system also called as a magic cookie , which is used to authenticate a user to a remote server. Sessions are of great importance to web developers, as the HTTP cookies used to maintain a session on most of the web sites . These cookies can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim's computer.


In this particular mode of hijacking the authentication check is performed only when the session is open, a hijacker who successfully launches this attack is able to take control of the connection throughout the duration of the session.If an attacker is able to steal the session cookie, he can pretend to be the same user, or hijack the session during its lifetime.

There are three primary techniques for hijacking sessions:

• Brute Force - the attacker tries multiple IDs until successful.
• Calculate - IDs are generated in a non-random manner and can be calculated.
• Steal - using different types of techniques, the attacker can steal the Session ID.
  

Methods to prevent session hijacking: ( To be followed by Developers of Any Website)

1. Regenerating the session id after a successful login. This prevents session fixation because the hacker/ attacker does not know the session id of the user after he has logged in.
2. Use a long random number or string as the session key. This reduces the risk that an hacker/ attacker could guess a valid session key through trial and error or brute force attacks.
3. Encryption of the data passed between the user and the web servers , specially the session key.
4. A web server could check with each request made matches the IP address of the use from previous sessions.
5. Can have services which change the value of the cookie with every request received.
6. Prevent Eavesdropping within the network.
7. Expire the session as soon as the use logs out .
8. Reduce the life span of a session or a cookie.

Methods to prevent session hijacking: ( To be followed by USERS of Any Website)

1. Do not click on the links forwarded to you through mails or IM's.
2. Make sure you flush out cookies and session from your browser after every confidential and sensitive transactions.
3. Do not simply close the browser , make sure that you click the log out button before closing the browser.
4. Use Firewalls
5. Restricts cookies to the maximum extend possible using the browser and firewall settings.
6. Clear History and offline content for every few days.
7. Prefer https rather than http for sensitive and confidential transactions.
8. Make sure that the website is certified by the certifying authorities.

Feel free to write your comments and queries