Session Hijacking, or Cookie Hijacking, is a type of hacking that is on the rise and can put you at risk for identity theft, financial theft and even ransom.
We’ll explain what it is, how it happens and what you can do to prevent it.
What is a Session Anyway?
When you log in to a website, a session ID is created and stored as a temporary cookie in your browser. This cookie helps you stay logged in and perform any actions you need to take as an authenticated user.
A session cookie often lasts for a few hours or even minutes. However, if you select “remember me” when you log into a website, your browser will keep that session open, often for several days.
What is Session Hijacking?
Keeping yourself logged into a website for multiple days may seem convenient but it also opens you up to some serious security risks. It can leave you vulnerable to session hijacking by cyber criminals.
Session hijacking occurs when a user stays logged into a website and then moves on to perform other activities online. While the user is away, a hacker gains access to that individual’s session ID and can effectively impersonate that user in their own online accounts.
Gaining access to your session cookies allows a cyber criminal to perform all sorts of malicious acts including: stealing money from the user’s bank account, purchasing items from your Amazon account, grabbing personal data to commit identity theft, or encrypting important data and then demanding a ransom for its return.
How to Prevent Session Hijacking
Log Out After Each Session
Logging out of a website once you’re done using it is just good practice. However, it’s particularly important to do so if you’re using public WiFi or your computer could be accessed by someone else.
Use Caution with “Remember Me”
Many websites offer an option to stay logged into the site by clicking “Remember Me” underneath your login credentials. Use caution with this feature.
For instance, as long as your at-home WiFi is secured, it’s fairly safe to stay logged into your wordpress website while you’re working at home from a secure connection. However, if you’re using WiFi at a cafe, don’t check “remember me”.
We also recommend not to use this feature for any website that might expose particularly sensitive information, such as a banking website. These sites will typically keep you logged in as long as you remain active. Once you’re done, there’s no benefit to staying logged in.
Never Use “Remember Me”
- On Public WiFi
- While Logged into Business Critical Websites
- Banking & Finance
- Logistics Websites
- HR
- Your Business Website …etc
Use a Password Manager
A password manager doesn’t directly prevent session hijacking. After all, the whole point of session hijacking is that a hacker doesn’t need your password to access your account. They just need to access your session ID.
However, using a password manager can help you resist the temptation to stay logged into a website by making it easy and convenient to log in and out of any website without having to memorize complicated passwords.
In our opinion, password managers are an essential feature of website security and online best practices.
Check for HTTPS
HTTP is the primary protocol used to transmit data from a website to a browser. The “S” in HTTPS stands for “secure” and indicates that the data being transmitted from the website is being encrypted.
HTTPS encrypts data between your computer and the website you’re using, so attackers on the same network (e.g., public Wi-Fi) can’t easily see passwords, cookies and session tokens.
HTTPS offers protection against other common forms of hacking.
- Prevents man-in-the-middle attacks, such as someone pretending to be the site you’re visiting.
- Stops classic tools like Firesheep (used on unsecured Wi-Fi to hijack sessions)
Most websites these days use HTTPS and many browsers will flag any site that doesn’t use the secure protocol. However, older websites may not be secure.
If a website doesn’t start with “https”, don’t use that website.
However, even with HTTPS, you can still be vulnerable to session hijacking if the site your visiting has any of the following issues:
1. Insecure Cookies
If a site doesn’t mark its cookies as Secure and HttpOnly, they could still be stolen in certain edge cases.
2. Cross-Site Scripting (XSS)
If an attacker injects malicious scripts into a webpage (via XSS), they can steal your session cookie — even on an HTTPS site.
3. Poor Session Management
If a site doesn’t rotate session tokens after login or logout properly, or leaves sessions open too long — that’s a risk too.
While using HTTPS adds a vital layer of protection, HTTPS alone isn’t enough to keep you safe. This is where VPN’s come into play.
Use a VPN
Public WiFi networks are notorious for their security vulnerabilities. Since these networks are often unencrypted, they tend to be a prime target for hackers who exploit this vulnerability to harvest personal information, login credentials, financial information and more.
A VPN, or Virtual Private Network, offers added security by encrypting your data as well as hiding your IP address. A hidden IP address means that your activities online cannot be easily traced back to you, adding a layer of anonymity and security.
Using a VPN is always a good idea but it’s essential when using public WiFi.
Use Antivirus Software
Antivirus software is another tool that can help reduce risk. While antivirus doesn’t directly prevent session hijacking, it can alert you to dangerous tools often used to perpetrate hijacking.
For example, antivirus software is good at spotting:
- Malware and keyloggers that might try to steal session tokens, passwords or cookies.
- Browser hijackings or malicious extensions that could intercept sessions.
- Phishing sites that trick you into logging in and handing over your session to someone else
So, in that sense, it helps prevent the setup for session hijacking.
Takeaways
Session hijacking is on the rise and poses serious risk to your personal, business and financial data. However, there are some simple steps you can take to protect yourself.
With so much at stake, it pays to spend a little extra effort on security.
Remember:
- Log Out After Each Session
- Never Use “Remember Me” on Public WiFi
- Use Secure Websites: HTTPS
- Always Use a VPN on Public WiFi
- Use a Password Manager
- Use Antivirus Software