[{"data":1,"prerenderedAt":245},["ShallowReactive",2],{"term-s\u002Fsession-hijacking":3,"related-s\u002Fsession-hijacking":220},{"id":4,"title":5,"acronym":6,"body":7,"category":199,"description":200,"difficulty":201,"extension":202,"letter":203,"meta":204,"navigation":205,"path":206,"related":207,"seo":214,"sitemap":215,"stem":218,"subcategory":6,"__hash__":219},"terms\u002Fterms\u002Fs\u002Fsession-hijacking.md","Session Hijacking",null,{"type":8,"value":9,"toc":193},"minimark",[10,15,19,23,26,30,182,186,189],[11,12,14],"h2",{"id":13},"eli5-the-vibe-check","ELI5 — The Vibe Check",[16,17,18],"p",{},"Session hijacking is when an attacker steals your session cookie or token and impersonates you. Like stealing someone's festival wristband and using it to get into shows in their place. The real user gets locked out or has no idea. Secure cookies, HTTPS, and short session lifetimes limit the damage.",[11,20,22],{"id":21},"real-talk","Real Talk",[16,24,25],{},"Session hijacking (session theft) occurs when an attacker obtains a valid session identifier to impersonate an authenticated user. Methods include XSS (steal cookies via JavaScript), network interception (without HTTPS), and predictable session IDs. Mitigations: HttpOnly and Secure cookie flags, short session timeouts, and HTTPS everywhere.",[11,27,29],{"id":28},"show-me-the-code","Show Me The Code",[31,32,37],"pre",{"className":33,"code":34,"language":35,"meta":36,"style":36},"language-javascript shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","\u002F\u002F Setting secure session cookies\nres.cookie('sessionId', sessionToken, {\n  httpOnly: true,  \u002F\u002F JavaScript cannot read this cookie\n  secure: true,    \u002F\u002F Only sent over HTTPS\n  sameSite: 'strict', \u002F\u002F Blocks CSRF\n  maxAge: 15 * 60 * 1000, \u002F\u002F 15 minutes\n});\n","javascript","",[38,39,40,49,87,106,121,142,170],"code",{"__ignoreMap":36},[41,42,45],"span",{"class":43,"line":44},"line",1,[41,46,48],{"class":47},"sHwdD","\u002F\u002F Setting secure session cookies\n",[41,50,52,56,60,64,67,70,74,76,79,82,84],{"class":43,"line":51},2,[41,53,55],{"class":54},"sTEyZ","res",[41,57,59],{"class":58},"sMK4o",".",[41,61,63],{"class":62},"s2Zo4","cookie",[41,65,66],{"class":54},"(",[41,68,69],{"class":58},"'",[41,71,73],{"class":72},"sfazB","sessionId",[41,75,69],{"class":58},[41,77,78],{"class":58},",",[41,80,81],{"class":54}," sessionToken",[41,83,78],{"class":58},[41,85,86],{"class":58}," {\n",[41,88,90,94,97,101,103],{"class":43,"line":89},3,[41,91,93],{"class":92},"swJcz","  httpOnly",[41,95,96],{"class":58},":",[41,98,100],{"class":99},"sfNiH"," true",[41,102,78],{"class":58},[41,104,105],{"class":47},"  \u002F\u002F JavaScript cannot read this cookie\n",[41,107,109,112,114,116,118],{"class":43,"line":108},4,[41,110,111],{"class":92},"  secure",[41,113,96],{"class":58},[41,115,100],{"class":99},[41,117,78],{"class":58},[41,119,120],{"class":47},"    \u002F\u002F Only sent over HTTPS\n",[41,122,124,127,129,132,135,137,139],{"class":43,"line":123},5,[41,125,126],{"class":92},"  sameSite",[41,128,96],{"class":58},[41,130,131],{"class":58}," '",[41,133,134],{"class":72},"strict",[41,136,69],{"class":58},[41,138,78],{"class":58},[41,140,141],{"class":47}," \u002F\u002F Blocks CSRF\n",[41,143,145,148,150,154,157,160,162,165,167],{"class":43,"line":144},6,[41,146,147],{"class":92},"  maxAge",[41,149,96],{"class":58},[41,151,153],{"class":152},"sbssI"," 15",[41,155,156],{"class":58}," *",[41,158,159],{"class":152}," 60",[41,161,156],{"class":58},[41,163,164],{"class":152}," 1000",[41,166,78],{"class":58},[41,168,169],{"class":47}," \u002F\u002F 15 minutes\n",[41,171,173,176,179],{"class":43,"line":172},7,[41,174,175],{"class":58},"}",[41,177,178],{"class":54},")",[41,180,181],{"class":58},";\n",[11,183,185],{"id":184},"when-youll-hear-this","When You'll Hear This",[16,187,188],{},"\"XSS vulnerabilities enable session hijacking via document.cookie.\" \u002F \"Set HttpOnly on session cookies to prevent JavaScript access.\"",[190,191,192],"style",{},"html pre.shiki code .sHwdD, html code.shiki .sHwdD{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#546E7A;--shiki-default-font-style:italic;--shiki-dark:#676E95;--shiki-dark-font-style:italic}html pre.shiki code .sTEyZ, html code.shiki .sTEyZ{--shiki-light:#90A4AE;--shiki-default:#EEFFFF;--shiki-dark:#BABED8}html pre.shiki code .sMK4o, html code.shiki .sMK4o{--shiki-light:#39ADB5;--shiki-default:#89DDFF;--shiki-dark:#89DDFF}html pre.shiki code .s2Zo4, html code.shiki .s2Zo4{--shiki-light:#6182B8;--shiki-default:#82AAFF;--shiki-dark:#82AAFF}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html pre.shiki code .swJcz, html code.shiki .swJcz{--shiki-light:#E53935;--shiki-default:#F07178;--shiki-dark:#F07178}html pre.shiki code .sfNiH, html code.shiki .sfNiH{--shiki-light:#FF5370;--shiki-default:#FF9CAC;--shiki-dark:#FF9CAC}html pre.shiki code .sbssI, html code.shiki .sbssI{--shiki-light:#F76D47;--shiki-default:#F78C6C;--shiki-dark:#F78C6C}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":36,"searchDepth":51,"depth":51,"links":194},[195,196,197,198],{"id":13,"depth":51,"text":14},{"id":21,"depth":51,"text":22},{"id":28,"depth":51,"text":29},{"id":184,"depth":51,"text":185},"security","Session hijacking is when an attacker steals your session cookie or token and impersonates you.","intermediate","md","s",{},true,"\u002Fterms\u002Fs\u002Fsession-hijacking",[208,209,210,211,212,213],"Authentication","Token","XSS","CSRF","HTTPS","Man-in-the-Middle",{"title":5,"description":200},{"changefreq":216,"priority":217},"weekly",0.7,"terms\u002Fs\u002Fsession-hijacking","MzfimnvsgVPbAgyPBOTaSyjO1qbENHbX1BKiQ6Ot9-8",[221,226,229,234,238,242],{"title":208,"path":222,"acronym":223,"category":199,"difficulty":224,"description":225},"\u002Fterms\u002Fa\u002Fauthentication","AuthN","beginner","Authentication is proving you are who you say you are.",{"title":211,"path":227,"acronym":211,"category":199,"difficulty":201,"description":228},"\u002Fterms\u002Fc\u002Fcsrf","CSRF (Cross-Site Request Forgery) is when a bad website hijacks your logged-in session on a good website to do things you didn't ask for.",{"title":212,"path":230,"acronym":231,"category":232,"difficulty":224,"description":233},"\u002Fterms\u002Fh\u002Fhttps","HyperText Transfer Protocol Secure","networking","HTTPS is HTTP but with a bodyguard. All the data flying between your browser and the website is scrambled so nobody can spy on it.",{"title":213,"path":235,"acronym":236,"category":199,"difficulty":201,"description":237},"\u002Fterms\u002Fm\u002Fman-in-the-middle","MITM","A man-in-the-middle attack is when a hacker secretly sits between you and the website you're talking to, reading and possibly changing everything you send...",{"title":209,"path":239,"acronym":6,"category":240,"difficulty":224,"description":241},"\u002Fterms\u002Ft\u002Ftoken","vibecoding","In AI-land, a token is a chunk of text — roughly 3\u002F4 of a word.",{"title":210,"path":243,"acronym":210,"category":199,"difficulty":201,"description":244},"\u002Fterms\u002Fx\u002Fxss","XSS stands for Cross-Site Scripting. Hackers inject their own JavaScript into your site so when other users visit, the evil script runs in their browser.",1776518312785]