3 Attacking session management

 

This chapter covers

  • Understanding how session management works
  • Learning how hackers can steal session ID data
  • Determining an attack has occurred and how to prevent it
  • Protecting session (and other) cookies
  • Using HTTPS routinely and consistently

In late 2010, software developer Eric Butler released a Firefox extension called Firesheep. It worked like this: you would connect to a public Wi-Fi network, like at a train station or a coffee shop. When installed and active, the extension would continuously analyze (unencrypted) data in the current wireless network. If someone else in the same network was logged into one of a select number of sites, a window popped up, prompting you to go to that site, as that other person. And indeed, one click later, you could access a third-party site as the person sitting close to you. Those sites included

  • Amazon
  • Facebook
  • Google (including Google Mail)
  • Hacker News
  • LinkedIn
  • Quora
  • Reddit
  • Stack Overflow
  • Twitter
  • Windows Live (including Windows Live Mail, previously known as Hotmail)
  • Yahoo! (including Yahoo! Mail)
  • And about 20 more

3.1 Anatomy of a session management attack

 
 
 

3.1.1 Stealing session cookies

 
 

3.1.2 Cookies and session management

 
 
 

3.2 ASP.NET Core cookie and session settings

 
 
 

3.3 Enforcing HTTPS

 
 

3.4 Detecting session hijacking

 
 
sitemap

Unable to load book!

The book could not be loaded.

(try again in a couple of minutes)

manning.com homepage
test yourself with a liveTest