What it is
Session hijacking, also known as cookie hijacking, is a cyberattack in which an attacker takes control of a valid user session. Instead of stealing login credentials directly, the attacker captures session tokensunique identifiers that websites use to recognize authenticated users. Once the attacker obtains this token, they can impersonate the user, bypass authentication, and access sensitive data or perform unauthorized actions.
Session hijacking can occur through multiple vectors:
- Man-in-the-middle (MitM) attacks where traffic is intercepted on unencrypted connections.
- Cross-site scripting (XSS) where malicious scripts extract session cookies from browsers.
- Session fixation where attackers force users to log in with a known session ID.
- Malware that captures stored cookies from compromised devices.
Modern web sessions often rely on tokens (for example, JWTs) rather than cookies, but the risk remains if tokens are not securely transmitted, stored, or invalidated.
Why it matters
Session hijacking is one of the most common and dangerous web application attacks. Once an attacker gains control of an active session, they inherit all the permissions of the legitimate user, potentially accessing financial accounts, admin dashboards, or confidential business data. These attacks can also undermine trust in authentication systems, especially if users believe their credentials alone were compromised.
How to reduce risk
- Enforce HTTPS and secure cookie attributes (HttpOnly, Secure, SameSite).
- Regenerate session IDs after authentication.
- Implement short-lived session tokens and automatic expiration.
- Detect anomalies such as simultaneous logins from distant IPs.
- Use Content Security Policy (CSP) to block unauthorized script execution.