![]() When a user is tricked into clicking a link with a hard-coded session ID, that session is picked up by the user. ![]() She might then mimic the original user by using the cookie. These session IDs must be given in the URL (for example, ).Īn attacker uses a session ID that was probably obtained through a man-in-the-middle attack to pretend to be another user.Īn attacker in a shopping mall might use the shop's wireless network to capture a session cookie as an example of the first two. PHP, for example, permits session identifiers to be used. That's why you should never trust anything stored in cookies you never know who's been digging around in them.Īn attacker can employ session fixation to deceive a user into changing or resetting their session ID. Exploiting these kinds of cookies is a piece of cake. Websites that have saved cookies like IsLoggedIn=1 or even LoggedInAsUser=ram have a lengthy history. It has many forms and they are discussed below.Ī man-in-the-middle attack occurs when an attacker intercepts session data as it travels over the network.Ī cookie-forging attack is another type, in which an attacker alters the apparently read-only data saved in a cookie. This is a wide class of attacks on a user's session data, rather than a specific assault. In this article, we will know more about the attack and how to protect your website against it. Session hijacking or session forging is another security issue that most websites are prone to.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |