Can session value be hacked?

Question

When I came out of a site without logging out, next time i browse that site I found I am logged in there? How that server restore the session value for my browser? Is there any chance to be hacked in this process? Can that restored session value be stolen by others? please share your concept about this. thanks in advance

score 19 · Accepted Answer · answered Sep 26 '10 at 15:54

19

In all technologies I'm aware of web-based session values are stored on the remote server. So, to hack your session values would require hacking the remote-server. What you are encountering is the fact that your session identifier is stored in a cookie (a session cookie), so that when you re-open your browser the cookie is being used to identify you and provide access to your remote session. Normally session cookies have a short TTL (time to live) before they expire and log you out, but if not then explicitly logging out should clear it. If you are really worried you can delete your cookies.

answered Sep 26 '10 at 15:54

Dan Diplo

25,076
4
67
89

1

ordinary sessions aren't hacked up ... they're hijacked (very common with WordPress cookies - which doesn't even have server-side sessions). Cookies are just client-side session storage. – Martin Zeitler Mar 20 '13 at 17:56
Are `SESSION` variables considered secure. If someone logs in and I store in the session scope their ID and their state of being logged in. Using that ID to query data and return data to them is safe? I would imagine so, but not sure. Must I store their state in a DB and only use that as a status? I would thing SESSION is secure enough. – Leeish Feb 12 '15 at 15:20

score 5 · Answer 2 · answered Sep 26 '10 at 15:48

5

What you are seeing is the result of a cookie being stored with your browser to hang on to that session information. Can it be hacked? Depends on the site/application, but no more than it could be if you hadn't closed your browser.

answered Sep 26 '10 at 15:48

Brad

159,648
54
349
530

score 4 · Answer 3 · answered Sep 26 '10 at 16:00

4

Depending on whether the server checks the IP address trying to use the token (probably a cookie, but doesn't have to be) against the one that logged in, it might be possible for a thief to use that cookie to gain access to your account.

A well-designed site will not only cause sessions to time-out but also restrict them to a single IP address (and browser user-agent, etc).

answered Sep 26 '10 at 16:00

Ben Voigt

277,958
43
419
720

1

Even checking the IP doesn't make it safe from hijacking. If both the victim and hijacker sits behind the same router, then the web server will see them as coming from the same machine (since their public IP would be the same). Browser IDs aren't secure either... they can easily be spoofed. – Gert Grenander Sep 26 '10 at 16:15
Definitely. Protecting against real-time replay attacks is difficult. It's recommended to verify IP address, etc., but one shouldn't rely on these as they aren't secure. – Ben Voigt Sep 26 '10 at 18:44

score 2 · Answer 4 · answered Sep 26 '10 at 16:26

As others have noted this is the cookie on your machine.

The way to "hack" it would be to gain access to your machine and then take a copy of the cookie. Or take a copy of the cookie while it is being sent to the browser.

To guard against this you could:

Send the cookie to the client over https.
Do not store the cookie on disk (a cookie without a timeout will be stored in memory)

Locking a session to a single ip address, can cause problems, if your users are coming from a network with 2 proxy servers.

thanks all you guys. I didn't face any problem yet. Just I was keeping myself updated. — Masud Rahman, Sep 26 '10 at 17:03

score 1 · Answer 5 · answered Sep 26 '10 at 15:50

It uses cookies, a text-string your browser keeps on behalf of the site, either for a set time-limit, or till you close your browser.

Log out if it's a concern. Obviously, if someone else uses the same computer shortly after you they'd be able to use the site logged in as you. Always explicitly log out from public accessible computers.

score 0 · Answer 6 · answered Sep 08 '14 at 21:51

0

you would have to sniff his traffic and stole his cookies. Then if he doesn´t log out, (so the server do not invalid the cookies), you could log in with them

answered Sep 08 '14 at 21:51

Alberto Perez

1,019
15
17

score 0 · Answer 7 · answered May 14 '18 at 11:39

The cookie usually is a session id that connects to a session database on the website's server; however, there are some cookies where most details are in local storage and are normally accessed through JavaScript or an identification key on the server. Most cookies can't be hacked, because you would need to decrypt the cookie by using a key which is normally on the server and then get remote access to the session database.

Can session value be hacked?

7 Answers7

Linked