Session hijacking

- Session hijacking is an attack where a hacker steals a user's active session to gain unauthorized access to parts of a website. Sessions store user's data in a file or database on the server. It's more secure to store data in sessions than in browser cookies because the data never leaves the server. It cannot be viewed in transit or in storage. However, as we discussed in the previous movie, a session reference identifier, or session ID, is stored in a browser cookie and like all cookies, is vulnerable to theft. An attacker with a stolen session ID can access all of the data stored in the session. Even worse, they can impersonate a logged-in user. Imagine that a user logs into a web application successfully. Web application stores a bit of data in the session file to remember that the user's logged in. This enables the user to click links and visit other pages without having to re-authenticate each time. I think of it a…