Hijacking sessions happens on a remote computer?

Question

I am new in sessions. I read many articles, and I did not understand something. To hijack a session, does the attacker have to be on the same computer that the victim logged in on?

I mean like going in the library and you forget to logout.

Or hijacking can be made without this?

possible duplicate of [PHP Session Security](http://stackoverflow.com/questions/328/php-session-security) — Incognito, Aug 24 '11 at 22:39

score 1 · Answer 1 · answered Aug 24 '11 at 22:38

Assuming ...

The attacker did not compromise either the client or server machine, and
Is not listening in (either local to the client, or local to the server, or on internet core routers), or the connection is sufficiently encrypted
The session token is sufficiently random (which you can assume for php's built-in session mechanism)
Your website has no XSS or XSRF vulnerabilities.

... the only way to hijack a session is indeed physically using the browser the victim used before. You can configure the lifetime of the session with the session.cookie_lifetime configuration option. The default (0) advises the browser to invalidate the session as soon as the browser is closed.

@Gaourokelos Yes, you can set this option in `php.ini`, but also in a `.htaccess` or the script itself (via [`ini_set`](http://php.net/ini_set)). Note that the default value (a session cookie) is a good value. — phihag, Aug 24 '11 at 22:48

score 0 · Answer 2 · answered Aug 24 '11 at 22:43

It can be made in various ways.

Hacker can access/put a virus on the victims computer where he finds his session id.
He can listen to the network traffic to sniff out the cookie.
It's also possible (especially on shared hosting) to access the directory where session data is stored.
If you don't filter input data xss attacks are possible.

You can prevent some of the dangers if you encrypt your connection or session cookies and if you store user's ip/browser when he/she logs in and then check if it the request's ip matches.

Thank you for this, as I read to store IP at the login and check it on every page is reliable. — Gaourokelos, Aug 24 '11 at 22:44

score 0 · Answer 3 · answered Aug 25 '11 at 14:08

Sessions are stored on the server and accessed by a Session ID, and thats a browser cookie. All the person would have to do to hijack a session is use a session ID that someone else is using. In other words, change their session cookie to that of someone else's.

Hijacking sessions happens on a remote computer?

3 Answers3