Session hijacking: What is a session hijacking and how does it work?

A woman on her laptop researching what session hijacking is and how it works.

A session hijacking attack happens when an attacker takes over your internet session. A session hijacking attacker can then do anything you could do on the site. Here’s how to help protect against session hijacking.

What is session hijacking? A session hijacking attack happens when an attacker takes over your internet session — for instance, while you’re checking your credit card balance, paying your bills, or shopping at an online store. Session hijackers usually target browser or web application sessions.

A session hijacking attacker can then do anything you could do on the site. In effect, a hijacker fools the website into thinking they are you.

Just as a hijacker can commandeer an airplane and put the passengers in danger, a session hijacker can take over an internet session and cause big trouble for the user.

How does session hijacking work?

There are many different types of session hijacking attacks, and we’ll include details and examples of session hijacking attacks below. But first, let’s take a quick look at how session hijacking works:

Session hijacking Step 1: An unsuspecting internet user logs into an account. The user may log into a bank account, credit card site, online store, or some other application or site. The application or site installs a temporary “session cookie” in the user’s browser. That cookie contains information about the user that allows the site to keep them authenticated and logged in and to track their activity during the session. The session cookie stays in the browser until the user logs out or is automatically logged out.

Session hijacking Step 2: A criminal gains access to the internet user’s valid session. Cybercriminals have different methods to steal sessions. Many common types of session hijacking involve grabbing the user’s session cookie, locating the session ID within the cookie, and using that information to take over the session. The session ID is also known as a session key. When the criminal gets the session ID, they can take over the session without being detected.

Session hijacking Step 3: The session hijacker gets a payoff for stealing the session. Once the original internet user has gone on their way, the hijacker can use the ongoing session to commit an array of nefarious acts. They can steal money from the user’s bank account, purchase items, grab personal data to commit ID theft, or encrypt important data and demand a ransom for its return.

Here are a few hypothetical examples of session hijacking:

  • Session hijacking example #1: Cassie is sitting in a coffee shop sipping a latte and checking her money market account balance. A hijacker at the next table uses “session sniffing” to grab the session cookie, take over the session, and access her bank account.
  • Session hijacking example #2: Justin gets an email about a sale at his favorite online retailer, and he clicks the link and logs in to start shopping. The email was sent by an attacker, who included his own session key in the link. The attacker steals the session, goes on a shopping spree, and pays with Justin’s saved credit card.

Session hijackers know all kinds of tricks for stealing sessions, and it’s good to know how they work so you can help stay safe online.

5 Methods of Session Hijacking

Want to know more about how session hijacking works? Here are the main types of session hijacking attacks that hijackers use to take over internet sessions: 

  1. Brute force – In a brute force attack, the attacker guesses the session ID and uses it to hijack the session. Brute force attacks usually work only when the website has lax security and uses short, easy-to-guess session keys.
  2. Cross-site scripting – A cross-site scripting attack takes advantagesof security weak spots in a web server. In cross-site scripting, an attacker injects scripts into web pages. These scripts cause your web browser to reveal your session key to the attacker so they can take over the session.
  3. Malware – Cybercriminals can trick you into clicking a link that installs malware on your device to allow them to hijack a session. The malware may survey and conduct “session sniffing” to find a session. The malware then grabs the session cookie and sends it to the criminal, who can then get your session ID to take over your session.
  4. Session side jacking – In this type of attack, a criminal needs access to a user’s network traffic. They may gain access when the user uses unsecured Wi-Fi or by engaging in man-in-the-middle attacks. In session side jacking, a criminal uses “packet sniffing” to monitor an internet user’s network traffic to search for sessions. In this way, the attacker is able to get ahold of a session cookie and use it to take over the session.
  5. Session fixation – In a session fixation attack, the criminal creates a session ID and tricks the user into starting a session with it. One common way to do this is to send an email to the user with a link to a login form for the website the attacker wants to access. The user logs in with the phony session ID, giving the attacker a way in the door.

These are some of the most common methods of session hijacking. As you can see, most types of session hijacking either involve guessing or intercepting an existing session cookie or tricking the user into signing in with a session ID created by the attacker.

Popular session hijacking exploits

Here are some session hijacking exploits and tools that have been used by attackers to gain entry to internet sessions:

  • CookieCadger – CookieCadger is an open source tool that can identify “information leakage” from web applications. It can monitor both wired ethernet and unsecure Wi-Fi for unencrypted information including session cookies.
  • DroidSheep – DroidSheep is an open-source Android tool that allows the user to use “packet sniffing” to grab session cookies and other unprotected information from unprotected Wi-Fi web browsing sessions.
  • FireSheep – FireSheep was a browser extension made for Firefox. The FireSheep extension allowed attackers to use “packet sniffing” to find and copy unencrypted session cookies that could be used to perform session hijacking attacks. FireSheep exploited security loopholes and no longer works with the FireFox browser.

As quickly as attackers find tools to help them engage in session hijacking, website owners and technology providers work to try to close the loopholes they exploit. For users, it’s a good idea to go to your settings and enable automatic updates so the latest patches can be installed quickly.

How to prevent session hijacking

There’s a lot you can do to help protect yourself online. Take these steps to help prevent session hijacking and increase your online security:

  1. Avoid public Wi-Fi. Never use public Wi-Fi, especially for important transactions like banking, online shopping, or logging into your email or social media accounts. There may be a cybercriminal at the next table who is using packet sniffing to try to pick up session cookies and other information.
  2. Use a VPN. If you do need to use public Wi-Fi, get a virtual private network (VPN) to help stay safe and keep session hijackers out of your sessions. A VPN masks your IP address and keeps your online activities private by creating a “private tunnel” through which all your online activity travels. A VPN encrypts the data you send and receive.
  3. Add security software. Install reputable security software on your devices and make sure to update it regularly. (You can also set automatic updates.) Security software can detect viruses and protect you from malware, including the malware attackers use to perform session hijacking.
  4. Watch out for scams. Avoid clicking on any link in an email unless you’ve verified it’s from a legitimate sender. Session hijackers may send you an email with a link to click. The link may install malware on your device or take you to a login page that will log you into a site using a session ID prepared by the attacker.
  5. Be aware of site security. Reputable banks, email providers, online merchants, and social media sites have safeguards in place to avoid session hijacking. Smart site owners will install HTTPS on the entire site, not just their homepage. They’ll also find and close security loopholes promptly. Using iffy online shops or other providers that may not have the best security can leave you vulnerable to a session hijacking attack.

The possibility of falling victim to a session hijacking attack can be scary. But just taking these steps will go a long way toward protecting you from these attackers who want to steal your sessions.

Cyber threats have evolved, and so have we.

Norton 360™ with LifeLock™, all-in-one, comprehensive protection against viruses, malware, identity theft, online tracking and much, much more.

Try Norton 360 with Lifelock.

Allie Johnson
  • Allie Johnson
  • Freelance Writer
Allie Johnson is a freelance journalist who covers cybersecurity, privacy, and consumer topics. She has written for Bankrate,, and Discover.

Editorial note: Our articles provide educational information for you. Our offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about Cyber Safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses. The Norton and LifeLock brands are part of Gen Digital Inc. 


    Want more?

    Follow us for all the latest news, tips and updates.