It keeps running in my mind the last couple of days, but I read some articles about how to make your PHP sessions more secure. Almost all of these articles say that you need to save the useragent i...

Can anyone give a clear difference between session fixation, session replay and session hijacking attacks? I have read many articles, but the matter is still unclear between session hijacking and s...

While I was reading about session hijacking articles, i learned that it would be nice to encrypt session id value that is stored in a cookie. As far as I know, when I start a session by calling s...

Most Web Applications use cookies to manage the session for a user and allow you to stay logged in even if the browser was closed. Let's assume we did everything by the book to make sure the cookie...

I'm developing an application in Java which seems to have a session hijacking vulnerability. In order to prevent this, the recommendation is to change the JSESSIONID for a user after log in My appl...

Something very strange and embarrassing happened to me the other day and I don't have words to describe what happened. My app runs Spring 3 integrated with JSF 2.1, Hibernate 4, Spring Security al...

My site is under a brute force attack in which the attackers are attempting to gain access to user accounts. The bots do not have a user agent. I have a system in place that blocks a person from si...

I've noticed that stackoverflow only uses SSL on the login page, and that questions/answers can be posted over HTTP. Users must be logged in to do that, and so I'm wondering how stackoverflow man...

I'm trying to figure out how to prevent session hijacking. Here's what I was thinking of doing: Along with the user id session, add a user agent and user IP session too. Every time a page is loade...

I'm looking for a plain English, "for dummies" explanation of how does JSESSIONID work from security aspects Can someone who merely knows my current JSESSIONID impersonate / hijack my session? I...

I know this topic has been discussed a lot, but I have a few specific questions still not answered. For example: // **PREVENTING SESSION HIJACKING** // Prevents javascript XSS attacks aimed to ste...

I recently read an article on making ASP.NET sessions more secure here and at first it seems really useful. Previously I had been storing the user's IP address in the session, then making sure in ...

I'd like to find out what session ID hijacking protection is built into the current version of ASP.NET. I recently saw this very informative article that explains how session security can be enhan...

Lets just consider the trust that the server have with the user. Session fixation: To avoid the fixation I use session_regenerate_id() ONLY in authentication (login.php) Session sidejacking: SSL ...

I'm doing a simple shopping cart for a small site. I plan to store cart items as well as logged in user_id in session variables. to make things a little more secure, I thought I'd do this: sha...

I have been reading up on session fixing/hijacking recently, and understand the theory. What I don't understand is how this would be exploited in practice. Would you have to tamper with your brows...

In an ASP.NET web app, using Integrated Windows Authentication, is the session tied to the windows identity? In other words, if I login (using IWA) to the app, and the app stores some "stuff" in my...

Lately I have seen this in my error log (1 per day, and I have 40k visitors per day): [22-Sep-2009 21:13:52] PHP Warning: session_start() [function.session-start]: The session id contains illegal ...