Session Hijacking
ELI5 — The Vibe Check
Session hijacking is when an attacker steals your session cookie or token and impersonates you. Like stealing someone's festival wristband and using it to get into shows in their place. The real user gets locked out or has no idea. Secure cookies, HTTPS, and short session lifetimes limit the damage.
Real Talk
Session hijacking (session theft) occurs when an attacker obtains a valid session identifier to impersonate an authenticated user. Methods include XSS (steal cookies via JavaScript), network interception (without HTTPS), and predictable session IDs. Mitigations: HttpOnly and Secure cookie flags, short session timeouts, and HTTPS everywhere.
Show Me The Code
// Setting secure session cookies
res.cookie('sessionId', sessionToken, {
httpOnly: true, // JavaScript cannot read this cookie
secure: true, // Only sent over HTTPS
sameSite: 'strict', // Blocks CSRF
maxAge: 15 * 60 * 1000, // 15 minutes
});
When You'll Hear This
"XSS vulnerabilities enable session hijacking via document.cookie." / "Set HttpOnly on session cookies to prevent JavaScript access."
Related Terms
Authentication (AuthN)
Authentication is proving you are who you say you are.
CSRF (CSRF)
CSRF (Cross-Site Request Forgery) is when a bad website hijacks your logged-in session on a good website to do things you didn't ask for.
HTTPS (HyperText Transfer Protocol Secure)
HTTPS is HTTP but with a bodyguard. All the data flying between your browser and the website is scrambled so nobody can spy on it.
Man-in-the-Middle (MITM)
A man-in-the-middle attack is when a hacker secretly sits between you and the website you're talking to, reading and possibly changing everything you send...
Token
In AI-land, a token is a chunk of text — roughly 3/4 of a word.
XSS (XSS)
XSS stands for Cross-Site Scripting. Hackers inject their own JavaScript into your site so when other users visit, the evil script runs in their browser.