What is Session Hijacking? | About session hijacking. | How Session can be Traced? | Mechanism used to trace session | Prevention of session hijacking.

session hijacking

Session Hijacking.

                        Web applications communicate using HTTP protocol. HTTP is stateless, which means there is no support at the protocol level to identify the state of particular request.
Web Servers do not have any mechanism to know whether the request is coming from a new client from the client which is already communicating with it. According to server, every request it received is a new request.
For example, let say a client logged into his FB account by sending his credentials.Now if he wishes to see his message, he has to send his credential information again, because server does not normally know that he has already authenticated in the previous request. This is something that developers have to do themselves. This is called "Session Tracking"

Session Traced.

                         Sessions are traced by developers primarily through the use of session identifiers (SIDs).
Once the user is successfully authenticated, a session ID is created by the server and maintained by the server. From there on, for every request this value is checked to track the user.
In other words, session IDs are used as an authentication token so that user does not have to re-enter the credential information with every request.

Mechanism of Session Tracking.

                         There are three types of mechanisms to track sessions.

Cookies.

The SID is created and maintained in the server and sent to the user through cookies. A cookie is stored in the user's hard disk and goes with each request. The server verifies the same before executing the request. This is most widely used mechanism and we are going to talk more about this in below sections.

URL Rewriting.

In this SID value actually goes in the URL of each request. This kind of session tracking is difficult, as we need to keep track of parameter as a chain link until the conversation completes.

Hidden Fields.

Hidden fields are elements which are not directly visible to the user.This can be viewed by looking at page source. They can also be used for session management, as SID values can be stored in hidden fields and can be sent to the server with each server. This sort of mechanism is rarely used these days.
Prevention of Session Hijacking.
The best ways to prevent session hijacking is enabling the protection from the client side. The users should have efficient antivirus, anti-malware software, and should keep the software up to date.
There is a technique that uses engines which fingerprints all requests of a session. In addition to track the IP address and SSL session id, the engines also track the http headers.