OWASP Periodic Table of Vulnerabilities - Cookie Theft/Session Hijacking

Return to Periodic Table Working View

Root Cause Summary
It's possible for an attacker to steal and reuse session identifiers when they are stored or transmitted insecurely.

Browser / Standards Solution
Define a new standard for transmitting session identifiers and managing them within the browser, such as a new request/response header to be used instead of cookies.

Perimeter Solution

 * Make sure that all session identifiers are transmitted over an encrypted protocol.
 * Terminate/regenerate session if the session token is transmitted insecurely, or signal to the application to do so.
 * Enforce the Secure and HttpOnly flags on sensitive cookies using a Web Application Firewall.

Generic Framework Solution
The framework should provide a centralized cookie management API which prevents direct access to cookies. By default, cookies should be handled according to the following rules, which must be explicitly overridden if a developer has a specific need for a cookie with unsafe properties.


 * Apply Secure and HttpOnly flags.
 * Set the Domain and Path parameters for the cookie correctly.

The framework should provide a configurable session management scheme, which includes the following features:


 * Alert user and deauthorize oldest session when multiple simultaneous logins are detected. Multiple simultaneous logins are prohibited by default, but may be enabled by changing a configuration setting.
 * Terminate session and send security SNMP trap or other configurable message if User-Agent string or other client fingerprinting changes.
 * Provide the option to the user when logging in to pin the session to the originating IP.

Custom Framework Solution
None

Custom Code Solution
None