Cookie Hijacking, sometimes also known as session hijacking is the exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server. It has particular relevance to web developers, as the HTTP cookies used to maintain a session on many web sites can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim’s compute
The following helps to protect against session hijacking and fixation attacks.
- Use SSL and set the $secure cookie parameter to true .
- Set the session.use_only_cookies php.ini parameter to 1 .
- Protect against XSS vulnerabilities in the application.
- Rotate the session id on successful login and logout using session_regenerate_id()