Session hijacking

A session ID is used to identify the visit of an user when he logs into a website. This information is exchanged between the server and the browser.

Typically, the session ID must be lengthy, random, unique and difficult to guess. This will increase the time for those trying to hijack it. If the session ID is predictable any type of hackers (novices, black hats, elites) could write a script to guess it.

A weak session ID can lead to the exposure of the user’s profile and his payment information and allowing the hackers to access the website without authentication.

Hackers can use a script to enumerate potential session IDs and try to access the website with them.

Many websites rely on web frameworks to generate safe and strong session IDs. Some measures like: deactivating session IDs after a period of time, change session IDs after each request or prevent reuse of session IDs. Also, some web frameworks choose to sign the cookies (append some encoded text to the cookie data) that hold the session ID. This digital signature is an enciphered value that can only be deciphered by the website. Cryptography!