Web Application Security Guide/Session stealing
Jump to navigation Jump to search
An attacker who is able to obtain or guess the session ID can steal the session and abuse the privileges of the user.
To prevent this type of attack
- Set the “HttpOnly” attribute for session cookies
- Generate random session IDs with secure randomness and sufficient length
- Do not leak session IDs