Web Application Security Guide/Session stealing

From Wikibooks, open books for an open world
Jump to navigation Jump to search

Session stealing

An attacker who is able to obtain or guess the session ID can steal the session and abuse the privileges of the user.

To prevent this type of attack

  • Set the “HttpOnly” attribute for session cookies
  • Generate random session IDs with secure randomness and sufficient length
  • Do not leak session IDs


Setting the “HttpOnly” attribute on cookies prevents them from being read using JavaScript. This makes it harder to perform successful XSS attacks. Random, secure session IDs prevent the attacker from guessing a valid session ID. Ensuring that session IDs do not leak, for example in Referer information, copied links and HTML content from the site etc. makes sure that the attacker cannot obtain the session ID in this way.