Threat of Session Hijacking and Steps to Prevent Them
BY webmaster
1 year ago
comments comment

Authors: Abhinand Gokhala K., Harikrishna Kelappurath

Sometimes when you try to open your Facebook profile it opens without asking username or password. It might have been because you logged in previously and forgot to log out. Did you ever try to understand why this is happening and it's significance?

It is because something is stored in your browser and is sent to the server when you accessed it again. So something which is highly confidential is stored in your web browser. What will happen if someone stole those details?

If someone gets that detail he could access the profile, this is called session hijacking.

This can be better explained using the scenario of the hospital system, i.e patient as the client, the hospital, doctor and the whole medical system can be considered as the server. First time when the patient takes an appointment, a token will be given to him and the case record with that token id will be retained in the hospital itself. Now whenever the patient visits a doctor, the doctor will get the previous health details of the patient with that token id from the hospital records. Hospital systems identify each patient using their token id. So anyone can get the treatment details of the patient using the token id of that patient. This is the real-life session hijacking situation. And we can also say that here token id, hospital system and patient are referred to as session id, server, and client respectively.

In this article we are going to explain what is session hijacking and how it is possible. Before that let’s look at some of the key terms used here.

What is meant by a client?

People sometimes mistakenly assume that the client referred to here is the person who sits in front of a computer system. But for a server, a web browser in a system is one client. For instance, consider two computer systems A and B. Firefox in A and Firefox in B are different clients. Firefox in A and Chrome in A are also different clients.

What is Session Information and Session ID?

The necessary information about a particular client stored on the server side is called Session Information. Session information is secure inside the server. From the server side, we can create session information with a unique id, this unique id is called session id. After creating a session, the session id is sent to the corresponding client. The client stores the session id as a session cookie. All further communication between the client and server includes sending the session cookie value from client to server.

For example, if you log in to a web application the following process will happen.

  1. Client sends a request to login to the application with username and password.
  2. Server creates a unique id (Session id) then creates a file with that session id as file name.
  3. Server saves necessary data about the client in the created file, for example: User id of logged user.
  4. Server sends that unique id to the client for storing that unique id as cookie.
  5. If the client accesses the profile page of that application, the web browser sends the stored cookies with that request.
  6. Server checks whether the session file corresponding to the session cookie value is present in the server. If session file is present, the server reads information in that file. From that the server will get the logged user id. Then server sends requested information related to that user id to the logged user.
  7. Similar to the above process, for all requests, the client will pass session cookie value to the server.

For a general understanding


This is a session file created on the server. PHP session files are stored in ‘/var/lib/php/sessions’ in default. Here filename is the session id which are random characters followed by ‘sess_’. In the session, the data is stored in the following format ‘data name|type: length: value’. In the above picture two data are stored, user_id and admin. In the case of user_id, the type is i(i denotes it is an integer value and s denotes string), length of the value is 1. And value of user_id is 1.


This picture shows the cookies stored in one such web browser. In the developer tool option, you can see the different types of cookies stored in the browser.

What is Session Hijacking?

Session hijacking is mimicking a different person by using that person’s session id. That is, if person A gets the session cookie information of person B and A stores that cookie in his web browser manually (similar to how B has stored the cookie in his browser). Then A can get the same access of B if that session file is present in the server. This is called session hijacking.

Video on Session Hijacking

How is Session Hijacking important?

Consider that a hacker gets the session cookie value of the bank application of a person, the hacker can get full access to that person‘s profile from the bank application. It is a big threat.

There are various ways in which session hijacking can be prevented. The preventive measures from the server side include cookie’s validation, cookie regeneration, session timeouts. Despite all these, there are limitations to what can be done from the server side. Complete prevention can be ensured only from the client side by making sure that the cookie value is kept safe through anti-malware software and by always logging out after usage.

XSS is one of the main methods used by hackers to steal cookie value from other clients.

To prevent XSS type of attack, developers can use HTML entities in the front end view of websites. This makes the data entered by users to always pass through functions to convert to HTML entities before it is shown in the front end view. In this way we can avoid XSS attack.

We will cover XSS in detail in another article. Are you concerned about the security aspects of your website development?
We can help you!



on 15th June 2012 / by deepa.n
Password-protecting drupal development site with .htaccess file There might be few scenarios when we need to protect our site from the general public and make it accessible to a selected group of users. One of the most common scenarios in the development workflow of a Drupal site is when you want to avoid your half-complete drupal site showing up in Google search results.For such needs, it is advisable to go for password-protecting the site using HTTP authentication. If you have cPanel installed on your hosting server, you can use the ‘Password Protect Directories’ option from the ‘Security’ section on the cPanel home page. Click here to read on How to enable HTTP Authentication using cPanel (link to an article for the same on our site) For those without cPanel, here’s how to get Apache work your way: Password protection on directories using .htaccess and .htpasswd: On a hosting server running using apache as the webserver, you need to do the following things to add HTTP Authentication (password protection) to your site: Create .htpasswd file Add/modify .htaccess file 1. Create .htpasswd file .htpasswd (do not forget to add the ‘.’ before htpasswd) is the file that stores the HTTP username and password. You need to tell Apache to verify against the credentials given in .htpasswd. First, to create .htpasswd with the desired username and password, SSH into your server (or open up a terminal window on your local machine, cd (change directory) to the folder where you want to create your password file, and type in the following command: htpasswd -c .htpasswd You'll be prompted to enter and retype your password, then the .htpasswd file will be created for you. Here’s what it looks like: user@user-desktop:~$ htpasswd -c .htpasswd userjohn New password: Re-type new password: Adding password for user userjohn If you open up the file, you can see the username and encrypted password generated. It looks something like this: userjohn:lOy81yOkKmeXc Step2: Add/modify .htaccess file .htaccess (that too, with the ‘.’), is the file that tells apache what custom settings to use for the site. What we have to do here is that we have to add the setting in .htaccess that tells apache to use the password in .htpasswd. Drupal has a default .htaccess file in its root. You just have to put in the following lines of code to your .htaccess file: AuthUserFile //.htpasswd AuthType Basic AuthName "Restricted Access" Require user userjohn is the path to the file from the Web server's root folder - for example, /home/username/.htpasswd or C:\wwwroot\username\.htpasswd. The above .htaccess file will password protect all files in the folder that it is placed in, and all sub-folders under that folder. For protecting your entire site, just place it in your web root. Apache Server Administration Drupal Security Web Security Access Control Leave a reply Your email address will not be published. Required fields are marker * website (not verified) access_time 23 Feb 2019 - 08:04 Hey this is kinda of off topic but I was wondering if blogs use WYSIWYG editors or if you have to manually code with HTML. I'm starting a blog soon but have no coding experience so I wanted to get guidance from someone with experience. Any help would be enormously appreciated! Add new comment

on 29th June 2012 / by Anoop John
Apache allows you to protect contents of specific directories in your website or the whole website from unauthorized access using a mechanism called httpd password protection. During development of new sites the partially built sites are protected from unauthorized access using httpd authentication. This could sometimes interfere with testing of integration with third party services that might expect some of your URLs to be accessible without authentication. Here is how you can exclude a given file or directory from httpd authentication The standard set of lines in htaccess to enabled httpd authentication is as follows AuthType Basic AuthName "Auth Required" AuthUserFile /path/to/.htpasswd Require valid-user Now adding the following below this will allow you to exclude directories and files # Allow access to excluded diretories SetEnvIf Request_URI "path/to/excluded/directory/" allow SetEnvIf Request_URI "path/to/excluded/file" allow Order allow,deny Allow from env=allow Satisfy any If you wrap the above in a <Limit GET> section you can limit the authentication to GET requests only. You can also allow access from specific IP addresses by adding the following for each IP you wish to allow Allow from Apache Server Administration Drupal Security Web Security Access Control Leave a reply Your email address will not be published. Required fields are marker * Muddy Mind (not verified) access_time 23 Feb 2019 - 08:04 Nice work this helps me a lot to some basic changes in my blog :) Add new comment

on 04th July 2013 / by sandeep.sasikumar
On certain servers, there are chances of our IP addresses getting blocked when we accidentally enter the wrong password multiple times or when we unintentionally try to ssh via the wrong port multiple times. The IP will be blocked for a certain period of time. If you have faced the same issue then read on to know how to block blacklisted IP addresses on a WHM based GNU/Linux server. Before trying to solve the problem we have to check the following things to identify where we went wrong: Check whether the username and password you entered is correct Check whether your passwords have unnecessary spaces. Check the default ssh-port Now lets see how to remove the blocked IP from WHM Login to WHM with the username and password [The funny part about the initial step is that now you won't be able to log into WHM because your IP is blocked, so try from any another connection with a different IP :) ]. After logging in to WHM the next step is to find out the 'Plugins' option. In the 'Plugins' option select 'ConfigServer Security&Firewall' In this option you will see a list of different features and from this list note the feature titled 'Temporary allow/deny', under this you can see your IP address. To unblock your IP address simply remove that IP from the IP address field. Now try connecting with your IP address and you should be able to acess it:) Linux System Administration Server Administration WHM Network Security Web Security Leave a reply Your email address will not be published. Required fields are marker * Alaa (not verified) access_time 23 Feb 2019 - 07:53 Thanks for the info. Anonymous (not verified) access_time 23 Feb 2019 - 07:53 i am using putty but not working my ip. Anonymous (not verified) access_time 23 Feb 2019 - 07:53 This is just what i have been looking for long. Got most of my routers ip blacklisted on whm. I read the tute, logged in the vps and cleared them up. Thanks Michelle (not verified) access_time 23 Feb 2019 - 07:53 It seems this normally happens when you make a change to a website or email on a diffrerent i.p. Either way thanks for the help. Jeffery (not verified) access_time 23 Feb 2019 - 07:53 May I know how to remove our IP from the Gmail blacklist? I need to know the reason why I was blacklisted. Here is my blog and I need help to configure a static IP address from Windows 7. Add new comment
Leave a reply
Your email address will not be published. Required fields are marker *

Filtered HTML

  • Web page addresses and email addresses turn into links automatically.
  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type='1 A I'> <li> <dl> <dt> <dd> <h2 id='jump-*'> <h3 id> <h4 id> <h5 id> <h6 id>
  • Lines and paragraphs break automatically.
The content of this field is kept private and will not be shown publicly.
CAPTCHA This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.