Skip to content

Session Expiration

links: WS TOC - Broken Authentication - Index


Idea

If an attacker somehow gains access to the browser of the victim he might steal session ID which are no longer used by the victim but due to insufficient session expiration, the sessions are still usable.

How the attack works

The attacker can access the browser of the victim and goes through the browser history and storage. He finds a cookie containing a session ID of a web page which does not terminate sessions. The attacker takes this session and impersonates the victim.

To prevent this attack, let sessions expire after some rather short time.


links: WS TOC - Broken Authentication - Index