OWASP Periodic Table of Vulnerabilities - Cookie Theft/Session Hijacking

Root Cause Summary
It's possible for an attacker to steal and abuse session identifiers when these are stored in cookies.

Browser / Standards Solution
None

Perimeter Solution

 * Make sure that all session identifiers are transmitted over an encrypted protocol.
 * Terminate/regenerate session if the session token is transmitted insecurely.
 * Enforce the Secure and HttpOnly flags on cookies using a Web Application Firewall.

Complexity: Low Impact: High

Generic Framework Solution

 * force Secure and HttpOnly flags for all cookies.
 * Make sure that the Domain and Path are set correctly
 * Alert user and deauthorize oldest session when multiple simultaneous logins are detected.
 * Terminate session if User-Agent string or other client fingerprinting changes.

Complexity: Medium Impact: High

Custom Framework Solution
None

Custom Code Solution
None