PHPSESSID could be used to make a session hijack?

Question

I'm a begginer BugHunter and in some of my study pentests I found that code:

DISCLAIMER: all this "numbersandletters" things is just to exemplify.

PHPSESSID=NumbersAndLettershere; _ga=GA1.NumbersAndDotsHere; _ga_NumbersAndLetters=GS1NumbersAndDots

I've already tried the BurpSuite decoder, I did some researches, talked to some friends that also study white hat but I couldn't find any useful north to go so, if anyone could clarify that to me or tell me some things to study that will make me understand more about it I'll appreciate a lot.

score 0 · Answer 1 · answered Aug 12 '22 at 14:49

The PHPSESSID is a name given to a HTTP Session cookie in PHP based applications. It's a random number, usually 128 bits long. As all random numbers it does not carry any additional meaning or encoded values. When you know this value, you can hijack user session. But guessing 128 bits is hard, so we consider such session handling usually to be secure.

GA smells like some google analytics stuff. See this: what are the values in _ga cookie?.

PHPSESSID could be used to make a session hijack?

1 Answers1