Session Hijacking

Session hijacking. Source: Tuit.
Session hijacking. Source: Tuit.

A session is an interactive information exchange between two or more communicating devices, or between a computer and a user, in computer science and networking in particular.

A session is started at one point in time and eventually 'torn down' - that is, brought to an end - at a later moment. In a well-established communication session, more than one message may be sent in either direction.

A connection-oriented communication requires the establishment of a session. In connectionless communication modes, a session is also the first stage in transmitting data.

Session hijacking, often called cookie hijacking, is the act of taking control of an already established trustworthy session in order to steal or compromise the data of the user. In a session hijacking attack, the attacker takes control of the user's valid session, and sends packets to the server while impersonating the real user.


  • What's the role of cookies in session hijacking?

    Cookie hijacking, is the exploitation of a valid computer session in computer science. It is specifically applied to the theft of a magic cookie that is used to authenticate a user to a distant service. It's crucial for web developers because the HTTP cookies used to keep a session on many websites can be stolen by an attacker utilising an intermediary computer or accessing the victim's saved cookies.

    For example: Justin receives an email advertising a sale at his favourite online retailer, which he clicks on and logs in to begin shopping. After which, a session is created on the server. This maintains the state and is referenced during his any future requests. The session ID generated is stored in cookies, URLs, and hidden fields of websites, based on predictable parameters like the current time or the user's IP address, making them easy to determine for an attacker. The attacker sends an email with his own session ID in the link to Justin. As Justin has saved credit card details for easy use in the future, the attacker after stealing the session uses the card details to go on a shopping spree.

  • What are the different types of session hijacking?
    An example of active session hijacking. Source: Scrivener Publishing.
    An example of active session hijacking. Source: Scrivener Publishing.

    An active session hijacking occurs when an attacker takes control of the victim's active session and begins to communicate with the server as a legitimate user. A common way to break a user's connection to the server is to flood the target system with a large amount of traffic. The attacker gets complete control over the session after putting the victim into offline mode. Using packet sniffing tools the attacker remains in stealth mode during this process, listening and monitoring the packets transiting the network.

    In a passive session hijacking attack, the attacker listens to all of the data and records it for future attacks. In most circumstances, the attacker must start with passive mode to launch any type of hijacking attack. The attacker may not succeed in impersonating a user to the server unless the user session is still active. This is a typical man-in-the-middle attack because the attacker is in-fact between the user and the server modifying and sending the packet.

    In hybrid session hijacking, the attacker uses both passive and active attack techniques to successfully execute the attacks.

  • What are the levels of session hijacking?
    Levels of session hijacking. Source: Learn Hub.
    Levels of session hijacking. Source: Learn Hub.

    Hackers use Network level session hijacking to personalise their assault and breach the protocol's data flow shared by all online applications. TCP (Transmission Control Protocol) allows dependable end-to-end communication over an unreliable network. The attacker prevents the client and the server from exchanging data by forging acceptable packets for both ends that appear like actual packets, taking command of the session. UDP (User Datagram Protocol) is weaker than TCP as it does not employ sequence/numbers. The hijacker fakes a server reply to a client UDP request before the server can react.

    The attacker aims to hijack current sessions and establish new sessions with stolen data at the Application level. HTTP (Hyper Text Transfer Protocol) used by the World Wide Web specifies how messages are formatted and delivered between clients and servers, and what actions Web servers and browsers should take response to various instructions. The first step in hijacking HTTP sessions is obtaining Session IDs. The areas to get a session ID are: in the HTTP GET request URL obtained by the browser, by using cookies saved on the client's computer and within the form fields.

  • What are the methods of session hijacking?

    Brute force – The attacker guesses the session ID and uses it to hijack the session, usually when a website's security is low and the session IDs are short and easy to guess.

    Cross-site scripting – An attacker finds security flaws in a web server and injects scripts into it, which gives the session ID to the attacker.

    Malware – To hijack a session, cybercriminals can deceive one into opening a link that installs malware (malicious software) on the device. It finds a session, steals the session cookie, and delivers it to the attacker.

    Session Sidejacking – An attacker obtains access to a user's network traffic, usually when the user connects to an insecure Wi-Fi network, and further monitors the internet user's network traffic using "packet sniffing".

    Session fixation - An attacker creates a session ID and deceives the user into using it to establish a session, by sending an email to the user with a link to a login form for a website.

    In the man-in-the-middle (MITM) attack, the attacker is placed between the victim and another system and acts as an unknown proxy for one/both of the two communicating destinations.

  • Which are some session hijacking tools and approaches used by attackers?

    CookieCadger is a free open-source tool for detecting "information leakage" in online applications. It can look for unencrypted data, including session cookies, on both wired and insecure Wi-Fi networks. CookieCadger is a graphical Java software that automates sidejacking and replay of HTTP requests in order to detect data leakage from applications that use unencrypted GET requests.

    DroidSheep is an open-source Android app that uses "packet sniffing" to extract session cookies and other exposed data from unsecured Wi-Fi web browsing sessions. DroidSheep is a basic Android tool for stealing web sessions (sidejacking).

    In May 2012, Google Play released an app called WhatsApp Sniffer. It may show messages from other WhatsApp users who were on the same network as the app user. WhatsApp used an XMPP(Extensible Messaging and Presence Protocol) infrastructure with encryption at the time, rather than plain-text communication.

    FireSheep is a Firefox browser add-on. The FireSheep addon allowed attackers to identify and copy unencrypted session cookies that might be exploited in session hijacking attacks via "packet sniffing." FireSheep took advantage of security flaws and is no longer compatible with the FireFox browser.

  • How can session hijacking attacks be prevented?

    The session ID, a piece of data used in network communications to identify a session, is recommended. This lowers the chances of an attacker guessing a valid session ID via trial and error or brute force attacks.

    When you use public Wi-Fi, also use a VPN (virtual private network) to assist stay safe and prevent session hijackers out of your sessions is one of the best practices on the client-side. The data sent and received using a VPN is encrypted.

    Prevent clicking on any unconfirmed link in an email unless it comes from a legitimate sender to avoid falling victim to a scam, on the client-side.

    Install reliable security software on devices to identify viruses and guard against malware, on the client-side including the malware used by attackers to hijack sessions.

    Keep an eye on the site's security. Session hijacking is prevented by measures in place at reputable banks, email providers, online retailers, and social media sites. Smart website owners will enable HTTPS (Hypertext Transfer Protocol Secure) across the board, not only on the homepage. They'll also quickly identify and close security flaws. This a server-side prevention technique.

  • How does an attacker identify vulnerabilities?

    These vulnerabilities (weaknesses/defects that can be exploited by an attacker) make session hijacking possible:

    Session IDs created using Fragile Algorithm:

    A session ID is a data piece used in network communications to identify a session. Websites generally create them using linear algorithms with easily calculable variables like time or IP address. By submitting a large number of requests, an attacker can observe a chronological pattern and generate a legitimate session ID.

    Undefined Session-Termination Time:

    An attacker has plenty of time to guess a legitimate session ID if the session expiration time is unknown. On obtaining a user's cookie file, the attacker can exploit passive session IDs to get access to the user's web account.

    Plain-Text Transmission:

    The unencrypted data delivered over the network can readily be sniffed for Session ID. SSL is used to encrypt data during transmission and prevent it from being sniffed.

    Small Session IDs:

    They can be easily determined by using a strong cryptographic technique. The attacker can even figure out the session ID pattern.

    Indefinite attempts:

    For websites without an account lockout, the attacker can make multiple attempts with different session IDs until the original session ID is discovered.



Warning of webmail wi-fi hijack. Using public Wi-Fi hotspots has become a lot riskier, as security experts have revealed techniques that may capture login data over the air.


Firesheep, a Mozilla Firefox extension, is launched, providing a simple way for session hijackers to attack users of unencrypted public Wi-Fi. Websites such as Facebook, Twitter, and any others that the user adds to their preferences allow the Firesheep user to quickly access private information via cookies, endangering the personal property of public Wi-Fi users.


Facebook is now SSL-encrypted throughout. Not only during log-in, but also on all other pages of the Facebook social networking site, secure data transmissions via SSL are now available. As a result, even cookies are now transferred in encrypted form, and attackers employing tools like Firesheep can no longer read and exploit them for fraudulent purposes.


Twitter adds "Always use HTTPS" option.Twitter implements a new feature that allows users to always use HTTPS when accessing, delivering secure data transmissions via SSL not only during log-in, but also for other pages. This means that even cookies are now transferred in encrypted form, and attackers employing tools like the Firesheep plugin for Firefox can no longer read and exploit them for fraudulent purposes.


A Google Play app called WhatsApp Sniffer is released. It may show messages from other WhatsApp users who are on the same network as the app user. WhatsApp connects using an encrypted XMPP infrastructure rather than plain text.


  1. BBC News. 2007. "Warning of webmail wi-fi hijack." BBC News, August. Accessed 2022-02-19.
  2. Baitha, Anuj Kumar, and Smitha Vinod. 2018. "Session Hijacking and Prevention Technique." International Journal of Engineering & Technology, March. Accessed 2022-02-06.
  3. Biswal, Chandra Sekhar, and Subhendu Kumar Pani. 2020. "Cyber-Crime Prevention Methodology." Scrivener Publishing LLC, November. Accessed 2022-02-20.
  4. Eggleston, Gene, and Mitch Hansen. 1998. "Sessionless-oriented protocol and session-oriented protocol." FreePatentsOnline. Accessed 2022-02-19.
  5. Fitzpatrick, Jason. 2010. "Firesheep Sniffs Out Facebook and Other User Credentials on Wi-Fi Hotspots." Lifehacker, October. Accessed 2022-02-19.
  6. Jain, Vineeta, Divya Rishi Sahu, and Deepak Singh Tomar. 2015. "Session Hijacking: Threat Analysis and Countermeasures." ResearchGate, February. Accessed 2022-02-19.
  7. Johnson, Allie. 2021. "Session hijacking: What is a session hijacking and how does it work?" NortonLifeLock. Accessed 2022-02-19.
  8. Joshi, Sagar. 2021. "What Is Session Hijacking? How to Ensure Session Privacy." Learn Hub. Accessed 2022-02-20.
  9. Kamal, Parves. 2016. "State of the Art Survey on Session Hijacking." Global Journals Inc. (USA). Accessed 2022-03-05.
  10. Kapoor, Shray. 2019. "Session Hijacking Exploiting TCP, UDP and HTTP Sessions." InfoSecWriters. Accessed 2022-03-12.
  11. Kumawat, Gautam. 2021. "Session hijacking is an attack where a user session is taken over by an attacker." Tuit. Accessed 2022-02-21.
  12. Lin, Mark. 2005. "An Overview of Session Hijacking at the Network and Application Levels." Global Information Assurance Certification Paper. Accessed 2022-03-05.
  13. Louis, Jerry. 2011. "Detection of Session Hijacking.Page:11-14." University of Bedfordshire, January. Accessed 2022-02-19.
  14. OWASP.a. 2022. "Session hijacking attack." OWASP. Accessed 2022-03-30.
  15. OWASP.b. 2022. "Session Management Cheat Sheet." OWASP Cheat Sheet Series. Accessed 2022-03-30.
  16. The H. 2011. "Facebook now SSL-encrypted throughout." The H Security, January. Accessed 2022-02-19.
  17. The H Security. 2011. "Twitter adds "Always use HTTPS" option." The H Security, March. Accessed 2022-02-19.
  18. The H.a. 2012. "WhatsApp no longer sends plain text." The H Security, August. Accessed 2022-02-19.
  19. The H.b. 2012. "Sniffer tool displays other people's WhatsApp messages." The H Security. Accessed 2022-03-06.
  20. Wikipedia. 2004. "Session (computer science)" Wikipedia, the free encyclopedia. Accessed 2022-02-19.
  21. Wikipedia. 2006. "Session hijacking." Wikipedia, the free encyclopedia. Accessed 2022-02-19.

Further Reading

  1. cWatch Web. 2021. "What is Session Hijacking?" cWatch. Accessed 2022-02-06.
  2. Malwarebytes Labs. 2016. "Browser hijacker." Malwarebytes. Accessed 2022-02-06.
  3. Baitha, Anuj Kumar, and Smitha Vinod. 2018. "Session Hijacking and Prevention Technique." International Journal of Engineering & Technology, March. Accessed 2022-02-06.
  4. Fitzpatrick, Jason. 2010. "Firesheep Sniffs Out Facebook and Other User Credentials on Wi-Fi Hotspots." Lifehacker, October. Accessed 2022-02-06.

Article Stats

Author-wise Stats for Article Edits

No. of Edits
No. of Chats

Cite As

Devopedia. 2022. "Session Hijacking." Version 9, March 31. Accessed 2023-11-12.
Contributed by
2 authors

Last updated on
2022-03-31 08:16:26