What is the best way to prevent session hijacking?

by

Encrypting the session value will have zero effect. The session cookie is already an arbitrary value, encrypting it will just generate another arbitrary value that can be sniffed.

The only real solution is HTTPS. If you don’t want to do SSL on your whole site (maybe you have performance concerns), you might be able to get away with only SSL protecting the sensitive areas. To do that, first make sure your login page is HTTPS. When a user logs in, set a secure cookie (meaning the browser will only transmit it over an SSL link) in addition to the regular session cookie. Then, when a user visits one of your “sensitive” areas, redirect them to HTTPS, and check for the presence of that secure cookie. A real user will have it, a session hijacker will not.

EDIT: This answer was originally written in 2008. It’s 2016 now, and there’s no reason not to have SSL across your entire site. No more plaintext HTTP!

More Related Contents:

  1. What is the best way to implement “remember me” for a website? [closed]
  2. Are HTTP cookies port specific?
  3. Where to store JWT in browser? How to protect against CSRF?
  4. Should JWT be stored in localStorage or cookie? [duplicate]
  5. How to manually decrypt an ASP.NET Core Authentication cookie?
  6. How easily can you guess a GUID that might be generated?
  7. Remember me Cookie best practice?
  8. Setting cookie in iframe – different Domain
  9. Understanding CSRF
  10. PHP Session Security
  11. How do I create a self-signed certificate for code signing on Windows?
  12. Detecting if a browser is using Private Browsing mode
  13. Best way to handle security and avoid XSS with user entered URLs
  14. How do you protect your software from illegal distribution? [closed]
  15. How can I throttle user login attempts in PHP
  16. Why is using a Non-Random IV with CBC Mode a vulnerability?
  17. What should every programmer know about security? [closed]
  18. Is it safe to put a jwt into the url as a query parameter of a GET request?
  19. Stopping users voting multiple times on a website
  20. How do I store and retrieve credentials from the Windows Vault credential manager?
  21. MVC 6 Bind Attribute disappears?
  22. How will a server become vulnerable with chmod 777?
  23. PHP Sessions with disabled cookies, does it work?
  24. How to do stateless (session-less) & cookie-less authentication?
  25. RSA signature size?
  26. PHP session seemingly not working
  27. Keygen tag in HTML5
  28. Cache VS Session VS cookies?
  29. buffer overflow example from Art of Exploitation book
  30. How to send cookies with file_get_contents

Leave a Comment