Session Hijacking: Unauthorized Control

Howard Poston
Dec 21, 2023
Session Hijacking: Unauthorized Control

Websites use the concept of sessions to track a user’s identity as they browse through the site. Without sessions, a user would have to authenticate to each page of a restricted site, which would negatively impact the user experience. Instead, users are assigned a session ID that can be used to identify future requests in the same session.

In a session hijacking attack, a cybercriminal takes over a user’s existing session. This enables the attacker to masquerade as the user, potentially stealing sensitive information or performing malicious actions within the user’s account.

This article explores the session hijacking attack. This includes common techniques used to perform session hijacking, the potential impacts of these attacks, and best practices for protecting against these threats.

What is Session Hijacking?

HTTP — the protocol used for web browsing — is a stateless protocol. This means that web servers are not responsible for tracking information about users across multiple HTTP requests.

The concept of sessions is used to address this issue and enable a visitor to maintain state across their browsing session. After a user authenticates to a website, they will be given a session cookie or token. Every future request will include this token, which authenticates the user’s identity without needing to provide their credentials with each request.

In a session hijacking attack, a cybercriminal steals the cookie or token associated with an active session. This can be accomplished in various ways, such as sniffing network traffic or performing a man-in-the-middle (MitM) attack.

Since the user’s session cookie is used to identify their session, an attacker with access to this identifier can use it to take over the user’s session. As a result, the attacker can masquerade as the user, stealing sensitive data or performing other malicious actions in the context of their account.

Common Session Hijacking Techniques

To perform a session hijacking attack, the attacker needs to gain access to the session cookie or token used to track the user’s identity. This can be accomplished using various methods.

Man-in-the-Middle (MitM) Attacks

In a MitM or on-path attack, the attacker can intercept network traffic between a user and the web server. For example, the attacker may be operating a malicious wireless access point (AP) — an evil twin attack — or could have used BGP hijacking or ARP spoofing to redirect the user’s traffic to their own device.

If a user is browsing a website using HTTP — rather than encrypted HTTPS — a MitM attacker will be able to inspect the headers and content of each request made by the user to the website. Session cookies will be included in these requests, enabling the attacker to steal the session token used to validate the user’s identity.

Packet Sniffing

Packet sniffing is similar to a MitM attack but doesn’t require the attacker to intercept the user’s traffic. Instead, they eavesdrop on traffic without interfering with it. For example, all users of a wireless network can view each others’ traffic.

This form of session hijacking also depends on the user browsing via HTTP instead of HTTPS. If this is the case, then an attacker sniffing their network traffic may be able to see and steal the session ID from within the user’s network traffic.


Malware also has the capability to steal session cookies and other identifiers. Cookies are commonly stored as files on a user’s computer, so malware with access to the file system may be able to find and exfiltrate this information to an attacker. Alternatively, malware with access to a user’s browser may be able to sniff session cookies as they are sent to a website.

Cross-Site Scripting (XSS)

In a cross-site scripting (XSS) attack, the attacker injects malicious script code into a website. This can be accomplished in various ways that affect a particular user or any visitor to the site.

When the webpage is loaded, this script code is executed alongside the page’s other scripts and content. Since it is part of the webpage (or directly imported by it), it has access to the same data as the rest of the webpage.

With this access to data, the malicious script can steal various types of sensitive information entered into the page. This may include the token or cookie used to track a user’s identity across the site. If the malicious script sends this information to the attacker, then the attacker can use it to take over the user’s active session.

Session Fixation

Most approaches to session hijacking involve the attacker intercepting or stealing the user’s session identifier. In a session fixation attack, the attacker sets the session identifier for the user.

In this form of attack, the attacker generates a session identifier for a user and provides it to them, typically as part of a URL in a phishing attack. When the user authenticates to the vulnerable application and uses the malicious session ID, the attacker will be able to use that session ID to take over the attacker’s session.

Brute Force Attacks

A session ID should be a long, unique, and random value that identifies a particular user. However, if a website’s session management system is not implemented properly, this may not be the case.

Session IDs might be predictable — i.e. sequential or based on values such as IP addresses — or short enough to be vulnerable to brute force. If this is the case, an attacker may be able to guess a user’s session ID and use it to take over their session.

Cross-Site Request Forgery

A cross-site request forgery (CSRF) attack involves tricking a user’s browser into making a request to another website. For example, a user might be tricked into visiting a phishing page or a website with a malicious ad. As part of rendering this page, the browser might need to make several follow-up requests for images and other content.

In an CSRF attack, one of these requests will be made to the site where the attacker is attempting to take over the user’s session. If the user has an active session with that site, their browser will automatically include the session cookie or token as part of this request.

When it receives this request, the target site will authenticate the user’s identity using the provided cookie or token. Since this identifier is legitimate, the site will open the associated page and perform any requested actions. If a site lacks CSRF protection, this could result in changing the user’s password, initiating a wire transfer, or some other damaging action.

In an CSRF attack, the attacker never gains direct control over the user’s session or knowledge of the session identifier. However, they effectively control the user’s session because they are tricking the user’s browser into performing requests on their behalf.

Recent Examples of Session Hijacking

Session hijacking attacks provide an attacker with control over a user’s active session and their logged-in account. This can allow the attacker to steal sensitive data or perform other malicious actions related to a user’s account.

CVS Health

A 2021 data breach by CVS Health demonstrated the potential risk of session hijacking attacks on a large scale. The pharmacy chain had a cloud database containing billions of customer records exposed publicly on the cloud.

In addition to other sensitive information, this database included the session IDs and visitor IDs used to track customers’ shopping carts and other session details. With access to the database, an attacker could take over a user’s account and potentially link their identities to purchases and other sensitive medical data.


Another common example of session hijacking is the surge of Zoom-bombing attacks during the COVID-19 pandemic. At this time, many organizations turned to Zoom to enable the meetings and other gatherings that would previously have been performed in person.

However, these meetings were not always password-protected and were accessed via links that could be stolen or guessed. As a result, many meetings were invaded by uninvited guests who yelled profanities or shared inappropriate images. These attacks also ran the risk of exposing sensitive information if an attacker could access shared files or listen in to private conversations.

Session Hijacking Prevention

Session hijacking attacks allow a cybercriminal to impersonate a user and take over their online sessions. There are various ways that users and organizations can protect against session hijacking attacks, including the following:

  • Secure Session Management: Session cookies should be randomly generated and securely stored on the client’s computer. When these cookies are presented to a website, it should verify these cookies to ensure that they are legitimate.
  • Use HTTPS: HTTPS encrypts and authenticates all of the data within a web browsing session as it travels over the network. By doing so, it protects against MitM and packet sniffing attacks by encrypting the session cookies used to track user identities.
  • Use a VPN: If HTTPS is not available for a site or app, a virtual private network (VPN) is a good alternative. A VPN will encrypt all traffic between a user’s computer and the VPN endpoint, protecting against eavesdropping and MitM attacks.
  • Don’t Click Suspicious Links: Malicious links in phishing emails or on websites may contain a predetermined session ID or a malicious XSS script. Be cautious of clicking on links, especially if it contains HTTP queries (additional data beyond the URL).
  • Use an Antivirus: Malware has the ability to steal session cookies and enable session hijacking. Using an antivirus to detect, block, and remediate malware infections can help to protect against these attacks.
  • Use the HttpOnly Flag: The HttpOnly flag is used to prevent session cookies from being accessible to JavaScript. This prevents the malicious scripts used in XSS attacks from gaining access to this information.
  • Short Session Timeout Periods: Session cookies commonly have a timeout period that defines how long the cookie can be used to identify a user. By setting these timeouts to a relatively short period, a website reduces the length of time that an attacker can use this cookie to gain access to a user’s account.
  • IP Address Binding: Session cookies can be associated with the specific IP address used to initiate the session. By doing so, a website prevents an attacker from using a stolen session cookie from another IP address.
  • Step-Up Authentication: Session cookies can be used to identify users for normal actions, but a site may implement additional verification for riskier activities. For example, the site could require multi-factor authentication (MFA) before making a purchase even if the request came as part of an active session.
  • User Notifications: A web server may use behavioral analytics to identify suspicious activities, such as a session changing IP addresses. The site could then notify the user via email, SMS, etc. of the change, enabling them to take action to lock down their account.


Session hijacking is an attack designed to allow a cybercriminal to masquerade as a legitimate user. After a user has authenticated to a website and received a session token, the attacker steals this token via some means. With access to this token, the attacker can hijack the user’s session, pretending to be them.

Session hijacking attacks can have numerous negative impacts on individuals and organizations. A session hijacking attack can enable an attacker to steal sensitive personal or business data that is available via the user’s hijacked session with the website. Alternatively, the attacker can perform malicious actions using the hijacked session, such as stealing money from the user or using their compromised account to perform spear phishing and other attacks.

For individuals, the most effective protection against session hijacking is to use HTTPS and a VPN whenever possible. Organizations can implement various defenses against session hijacking, such as limiting access to session cookies with the HttpOnly flag and requiring additional authentication before performing high-risk actions.

Kelvin Zero’s Multi-Pass enables businesses to perform strong user authentication with minimal impact on the user experience. Multi-factor biometric authentication provides assurance of the user’s identity without the need for users to enter passwords or other information. Learn more about enhancing the security of your customers and employees with Multi-Pass today.

Howard Poston

Howard Poston is a copywriter, author, and course developer with experience in cybersecurity and blockchain security, cryptography, and malware analysis. He has an MS in Cyber Operations, a decade of experience in cybersecurity, and over five years of experience as a freelance consultant.