OWASP Periodic Table of Vulnerabilities - Cookie Theft/Session Hijacking
Revision as of 22:48, 13 May 2013 by Peter Mosmans
Cookie Theft/Session Hijacking
Root Cause Summary
It's possible for an attacker to steal and abuse session identifiers when these are stored in cookies.
Browser / Standards Solution
- Make sure that all session identifiers are transmitted over an encrypted protocol.
- Terminate/regenerate session if the session token is transmitted insecurely.
- Enforce the Secure and HttpOnly flags on cookies using a Web Application Firewall.
Generic Framework Solution
- force Secure and HttpOnly flags for all cookies.
- Make sure that the Domain and Path are set correctly
- Alert user and deauthorize oldest session when multiple simultaneous logins are detected.
- Terminate session if User-Agent string or other client fingerprinting changes.
Custom Framework Solution
Custom Code Solution