What is session hijacking and how to prevent it?

Short answer

Session hijacking occurs when an attacker steals a user's session identifier and uses it to impersonate the victim without needing their password.

How it works

Attackers obtain session tokens through XSS, packet sniffing on unencrypted networks, malware, or session fixation attacks. Once they possess the token, they present it to the application, which treats them as the legitimate user.

Example

An attacker on a public Wi-Fi network captures cookies transmitted over HTTP. They import the cookie into their browser and gain access to the victim's online accounts.

Why it matters

Session hijacking bypasses authentication entirely. Strong session management, HTTPS enforcement, HttpOnly cookies, and short session timeouts are essential to reduce exposure.