session-hijacking

I'm looking for a plain English, "for dummies" explanation of how does JSESSIONID work from security aspects Can someone who merely knows my current JSESSIONID impersonate / hijack my session? In what scenarios JSESSIONID will be part of the URL, and is this OWASP #2 security risk (scenario #1) still relevant for latest versions of Tomcat / Glassfish, and if so, what to "turn off/on" to prevent it? Q: Can someone who merely knows my current JSESSIONID impersonate / hijack my session? A: Yes. That's why it is important that your site is careful with cookies. Indeed, if you are worried about

I have been reading up on session fixing/hijacking recently, and understand the theory. What I don't understand is how this would be exploited in practice. Would you have to tamper with your browser to make use of the stolen cookies? Append it to the URL and pass it to the web application? Or would you write some sort of custom script to make use of this, and if so what would it do? I'm not trying to ask for help with this or examples, but I am trying to learn more and understand. Any help is appreciated. Forging a cookie is trivial. As mentioned by Klaus, you can do it right out of your

While I was reading about session hijacking articles, i learned that it would be nice to encrypt session id value that is stored in a cookie. As far as I know, when I start a session by calling session_start() , PHP does not encrypt session id value in a cookie. How do I encrypt session id value and then initialize session with it? Encrypting won't help. The session cookie is just a magic number anyway. Encrypting it just means there's a different magic number to hijack. Depending on what hijacking scenarios you have in mind, there are other possible mitigations. For example, you can limit

Something very strange and embarrassing happened to me the other day and I don't have words to describe what happened. My app runs Spring 3 integrated with JSF 2.1, Hibernate 4, Spring Security all on Tomcat 7. I was over the phone with someone important from C-level and we were both simultaneously on the test environment at the same time on the same pages. He went to navigate to a page that I was navigating to at pretty much the same moment when his page came up with my personal account details. I didn't believe him, so I walked over to his office and sure enough, he somehow was logged on as

I'd like to find out what session ID hijacking protection is built into the current version of ASP.NET. I recently saw this very informative article that explains how session security can be enhanced by implementing an additional layer that encodes the IP address and user agent header into the session id. These details are then verified on each subsequent request. It seems that this article was written for ASP.NET 1.1 so I'd like to know if anything similar is now built into ASP.NET. Is it still of any benefit to implement such an additional layer? Thanks. Check out this snippet from the

It keeps running in my mind the last couple of days, but I read some articles about how to make your PHP sessions more secure. Almost all of these articles say that you need to save the useragent in the session WITH an additional salt. Something like this: $fingerprint = md5('SECRET-SALT'.$_SERVER['HTTP_USER_AGENT']); The salt would make it harder for an attacker to hijack or whatever the session. But WHY add a salt every time you would check it like this: md5('SECRET-SALT'.$_SERVER['HTTP_USER_AGENT']) == $_SESSION [ 'fingerprint' ] So WHY would a salt make it more secure, since the attacker