The common practice followed in authenticating and then session tracking involves using session id retrieved from the client and then comparing the user details stored in the database to match the session id, user agent details, IP etc. Now, if a hacker gets access to session token and guesses or extracts other details, can he impersonate the user? What steps we can take to prevent such attacks?
1
There are 1 best solutions below
Related Questions in SECURITY
- HTTPS configuration in Spring Boot, server returning timeout
- HSM ZKA control mask values
- OWASP Amass Subcommands
- Is there a need for BPF Linux namespace?
- Error when trying to execute a binary compiled in a Kali Linux machine on an Ubuntu system
- When sanitize/encode while implementing tags system like on SO
- spring security version in spring-boot-starter-security
- I am currently trying to implement a rudimentary firewall from a video I watched but the nimda worm detection is not working and i do not know why?
- Is it possible for `sudo` to fail temporarily with the correct password? Hacking suspected
- Is it viable proxying all my mobile apps requests, to some kind knowing that a request is coming from a secure source
- What abilities should I concentrate on while bug hunting, and how can I improve the quality of my bug bounty reports?
- System.ArgumentOutOfRangeException: I passed this error in every single program
- How to prevent users from creating custom client apps?
- Does server-side content security policy exist for youtube video player API, app, mod apks and website?
- Can we pass a hostname/IP address as a query string in a GET request in REST API
Related Questions in AUTHENTICATION
- Authenticate Flask rest API
- Sends a personalised error message from the back-end to the front-end with Nuxt-auth
- How to connect Spotify PKCE Authorization Boilerplate to Login-Button in React
- Laravel SPA auth with Sanctum
- _supabaseClient__WEBPACK_IMPORTED_MODULE_1__.supabase.auth.signIn is not a function
- My openID Authentication return 'You must have either https wrappers or curl enabled.'
- How to detect the Minimization of Custom Chrome Tabs on Android?
- Wordpress redirect to homepage after successfully logged in
- How to modify the prebuilt UI of authentication in aws amplify version 6 in React Native
- Creating a login system for my website, navlist not working?
- Receiving 400 bad request on post when customer auth handler is used
- Creating Azure B2B login system with Vue.js frontend & Python Django backend
- Gradio chatbot: how to export individual conversation histories?
- Set-Cookie header not forwarded by nginx to the client
- git asking for authentication when auth.json is present while running composer update
Related Questions in SESSION-HIJACKING
- How does HTTPS/TLS/SSL prevent Session Hijacking?
- How to protect Laravel session hijacking
- web.xml error when using 'HttpOnly' and 'Secure' attributes
- Session Hijacking over LAN
- Session hijacking: How to prevent access to web app when JSESSIONID cookie copied from one browser to another?
- Is Setting A $_SESSION Value That Is The Same As A GET Parameter A Security Risk - PHP?
- Is session hijacking possible using same system and same browser?
- Avoid session hijack within my own website
- How can I make a website more secured with a nodejs backend and reactjs frontend & mongodb as a database
- IdentityServer4 Session Hijacking
- can we avoid session hijacking using spring security?
- Is it possible for a hacker to impersonate a user by stealing session token and then faking the user-agent, IP and other details?
- Is PHP's session_regenerate_id() collision free?
- Domain / DNS injection issue - scam links seemingly coming from my website
- How to avoid session hijacking in MVC5 + Identity? / Invalidate cookie server side
Related Questions in SESSIONTRACKING
- Is it possible for a hacker to impersonate a user by stealing session token and then faking the user-agent, IP and other details?
- How does the servlet know that the browser has disabled cookies?
- How to track UTM tags in App Store URLs
- Forwarding a request from one servlet to another using Request dispatcher
- Is there app-level opt out flag for Google Tag Manager to be set in an iOS app?
- How to specify what should and shouldn't be tracked as a session (not event) when we add Google Analytics to an iOS app
- HTTP session tracking through base URL "resource"?
- Session tracking does not persist
- Urlrewriting using Servlet
- Is there a Session Timeout Exception in Spring Security?
- Using Session Tracking for Multipage Form in PHP
- NullPointerException when implementing session tracking
- Trouble in session logout
- Session tracking in servlets and jsp
- How a server can make a session with a client in RMI
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
For most applications, getting the session token is enough, no further checks are usually implemented. The only thing that would make a very significant difference is checking the request source IP with the session token, that would actually increase security, but from a usability perspective it's a disaster - IP addresses for typical users change sometimes, also a lot of users may have the same external IP (like in certain ISPs, or corporate networks).
So yes, getting the session token allows an attacker to impersonate a user.
To prevent such attacks, session ids need to be generated with secure random generators (or even better, from real random sources, but that gets problematic at scale), and they need to be protected while in transit (https) and also when stored (httpOnly cookies). Of course sometimes other aspects are equally important, so different compromises can be made (like storing the token in say localStorage, but only a short-lived one, and storing a refresh token in a httpOnly cookie for the identity provider).
Most importantly, you should almost never implement this yourself, unless you have really special requirements (things that likely close to nobody wanted before). In all the other cases, you will find it already implemented on your technology stack in well-known libraries or frameworks that a lot of people tested - you should use those.