9 Session vulnerabilities

In this chapter

How server-side and client-side sessions are implemented
How sessions can be hijacked
How sessions can be forged if session identifiers are guessable
How client-side sessions can be tampered with unless you digitally sign or encrypt the session state

In chapter 8, we looked at how attackers try to steal credentials from your users. If that strategy isn’t feasible, the next thing an attacker will try is accessing a victim’s account after they log in.

The continued authenticated interaction between a browser and a web server—when a user visits various pages in your web application and the server recognizes who they are—is called a session. Session hijacking is the act of stealing a user’s identity while ...

Get Grokking Web Application Security now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Grokking Web Application Security by Malcolm McDonald

9 Session vulnerabilities

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly