UrbanPro

Learn Java Training from the Best Tutors

  • Affordable fees
  • 1-1 or Group class
  • Flexible Timings
  • Verified Tutors

Search in

How to stop session hijacking programmatically ?

Asked by Last Modified  

10 Answers

Learn Java

Follow 0
Answer

Please enter your answer

IT Professional Trainer with 15 years of experience in IT Industry

Encrypting the session value will have zero effect. The session cookie is already an arbitrary value, encrypting it will just generate another arbitrary value that can be sniffed. The only real solution is HTTPS. If you don't want to do SSL on your whole site (maybe you have performance concerns),...
read more
Encrypting the session value will have zero effect. The session cookie is already an arbitrary value, encrypting it will just generate another arbitrary value that can be sniffed. The only real solution is HTTPS. If you don't want to do SSL on your whole site (maybe you have performance concerns), you might be able to get away with only SSL protecting the sensitive areas. To do that, first make sure your login page is HTTPS. When a user logs in, set a secure cookie (meaning the browser will only transmit it over an SSL link) in addition to the regular session cookie. Then, when a user visits one of your "sensitive" areas, redirect them to HTTPS, and check for the presence of that secure cookie. A real user will have it, a session hijacker will not. read less
Comments

Session Hijacking can be avoided using a secured protocol while logging into your account./session ie. using HTTPS over SSL -
Comments

UI Designer -- UI Developer -- Web Developer

HTTP is a stateless protocol. In order to track users, web applications rely on server side sessions. Two basic ways to link clients(usually browsers) to sessions are through URL rewriting and HTTP cookie. Both ways allow browsers send HTTP session id to server. URL rewriting automatically changes all...
read more
HTTP is a stateless protocol. In order to track users, web applications rely on server side sessions. Two basic ways to link clients(usually browsers) to sessions are through URL rewriting and HTTP cookie. Both ways allow browsers send HTTP session id to server. URL rewriting automatically changes all URLs and sends session id as an HTTP request parameter. HTTP cookie allows server send the session id via a cookie to client when session begins, and client keeps the cookie in memory and submits the cookie with every subsequent request. Session id is very critical to web applications. A session is associated with a logged-in user and all his/her security privileges and personal information. If an attacker gets hold of a valid session id, he can impersonate the victim and conduct damages. This is called session hijacking. Some general tips to protect sessions are: Tip #1. Turn off URL rewriting. As stated above, URL rewriting appends session id to every URL, which will be displayed in browser window, kept in browser history and can be captured by many intermediary nodes on the Internet to the application servers. Furthermore, many web sites link to third party sites for images or javascripts, and those sites could capture session id through Referrer HTTP header. So whenever possible, turn URL rewriting off. Unfortunately, Java EE Servlet specification doesn't define a unified way to control URL rewriting; you need to check your application server documentation to find a way to do it. Tip #2. Start a new session after user logs in. The ideal way for scalability and performance is to avoid using session before user logs in. If you do need to use sessions for anonymous users, after successful authentication, make sure you invalidate the old session and create a new session. Tip #3. Use HTTPS protocol for at least login process and all subsequent requests. If you follow tip #1 and #2, after login, server will send session id as a cookie to browser, and all subsequent requests from browser will contain that cookie. All these traffic must be encrypted via SSL/TLS so that no third party can intercept the session id. If you can't follow tip #2 for any reason, then you must force SSL/TLS for all your web site traffic. Tip #4. Implement a servlet filter to ensure all access for sensitive sections have valid session and user privileges. This catches any potential break-in and redirects those requests to safe public pages. Tip #5. Mark session id cookie secure and HTTPOnly. read less
Comments

JAVA Trainer with industry level knowledge

First of all let us be clear about what is Session Hijacking, session hijacking is exploitation of a valid computer session to gain unauthorized access to information or services in a computer system. Talking about HTTP or HTTPS means we are targeting HTTP protocol only. But session can be used with...
read more
First of all let us be clear about what is Session Hijacking, session hijacking is exploitation of a valid computer session to gain unauthorized access to information or services in a computer system. Talking about HTTP or HTTPS means we are targeting HTTP protocol only. But session can be used with protocols other than HTTP. Thus we need to have a generic answer. The basic of this process is encrypting the data at the sender end with the public key shared by the receiver itself, which is actually done when using HTTPS. Thus as mentioned in the query that how can we prevent session hijacking programmatically, so my solution would be that if you are working with HTTP protocol you can go for HTTPS or if you are using some other protocol you can go for secured version of the same like we do between HTTP and HTTPS. If there is no such then you can use ant public key encryption technique available in the market. read less
Comments

Trainer

Encrypting the session value will have zero effect. The session cookie is already an arbitrary value, encrypting it will just generate another arbitrary value that can be sniffed. The only real solution is HTTPS. If you don't want to do SSL on your whole site (maybe you have performance concerns),...
read more
Encrypting the session value will have zero effect. The session cookie is already an arbitrary value, encrypting it will just generate another arbitrary value that can be sniffed. The only real solution is HTTPS. If you don't want to do SSL on your whole site (maybe you have performance concerns), you might be able to get away with only SSL protecting the sensitive areas. To do that, first make sure your login page is HTTPS. When a user logs in, set a secure cookie (meaning the browser will only transmit it over an SSL link) in addition to the regular session cookie. Then, when a user visits one of your "sensitive" areas, redirect them to HTTPS, and check for the presence of that secure cookie. A real user will have it, a session hijacker will not. read less
Comments

the best answer to use SSL/HTTPS encryption for the entire web site, and you have the best guarantee that no man in the middle attacks will be able to sniff an existing client session cookie And perhaps second best to use some sort of encryption on the session value itself that is stored in your session...
read more
the best answer to use SSL/HTTPS encryption for the entire web site, and you have the best guarantee that no man in the middle attacks will be able to sniff an existing client session cookie And perhaps second best to use some sort of encryption on the session value itself that is stored in your session cookie read less
Comments

PhD in Computer Science with 15 years teaching experience

Session Hijacking can be avoided using a secured protocol while logging into your account./session ie. using HTTPS over SSL
Comments

Software Engineer

76 down vote favorite 40 Specifically this is regarding when using a client session cookie to identify a session on the server. Is the best answer to use SSL/HTTPS encryption for the entire web site, and you have the best guarantee that no man in the middle attacks will be able to sniff an existing...
read more
76 down vote favorite 40 Specifically this is regarding when using a client session cookie to identify a session on the server. Is the best answer to use SSL/HTTPS encryption for the entire web site, and you have the best guarantee that no man in the middle attacks will be able to sniff an existing client session cookie? And perhaps second best to use some sort of encryption on the session value itself that is stored in your session cookie? If a malicious user has physical access to a machine, they can still look at the filesystem to retrieve a valid session cookie and use that to hijack a session? read less
Comments

Expert Professional with 20+ year experience

test
Comments

Software Devloper

The only real solution is HTTPS. If you don't want to do SSL on your whole site (maybe you have performance concerns), you might be able to get away with only SSL protecting the sensitive areas. To do that, first make sure your login page is HTTPS. When a user logs in, set a secure cookie (meaning the...
read more
The only real solution is HTTPS. If you don't want to do SSL on your whole site (maybe you have performance concerns), you might be able to get away with only SSL protecting the sensitive areas. To do that, first make sure your login page is HTTPS. When a user logs in, set a secure cookie (meaning the browser will only transmit it over an SSL link) in addition to the regular session cookie. Then, when a user visits one of your "sensitive" areas, redirect them to HTTPS, and check for the presence of that secure cookie. A real user will have it, a session hijacker will not. read less
Comments

View 8 more Answers

Related Questions

What is the use of package in JAVA?
Have you ever observed why we all are having kitchen / hall / bedroom or any? Have you ever observed why most of the bags contains zips and folders ? Have you ever observed why people create different...
Pushpendra
Hi sir, I'm confused between .net and java. What to choose for a career. I have little bit knowledge of asp.net. Please guide me for this. Thank you
Hello Kirit, The application which were devloped about 2 decades back was mostly coded in java and so you will see so many of the application (in several company and outside) written in java. .Net(collectively...
Kirit
Which is the best IDE to write Java code?
Eclipse and intellige are the best IDE to write Java Code.
Akash
What is Service Locator in java?
The Service Locator abstracts the API lookup (naming) services, vendor dependencies, lookup complexities, and business object creation. Provides a simple interface to clients. This reduces the client's...
Arunava Chatterjee
Why does â??5/2 = 2â?? and not 2.5 in Python?
Due to dynamic Typing. use Numpy , and declare data type , you will get desired result
Srikanth
0 0
6

Now ask question in any of the 1000+ Categories, and get Answers from Tutors and Trainers on UrbanPro.com

Ask a Question

Related Lessons

Java and C trainer
Always think any conspect with real-time example like Object -- object must have states and behaviour then only we will call that thing is Object like fan is Object (rotating,color)

Android : Application Launch time improvements.
For any standard android application, below 3 components play important roles to show 1st interface to user, so that he/she can interact with the app. 1. Custom Application class : Intialize the components...

Java Training Syllabus
Learn JAVA-J2EE Syllabus Core Java - Syllabus aligned to OCA Exam - JDK 8 Object-Oriented Programming (OOPS) concepts: Programming Languages Object Oriented Programming Classes & Objects Pillars...


Fractional Knapsack
Algorithm - Fractional Knapsack import java.util.Scanner; public class Knapsack01 { public static void main(String args) { Scanner scan = new Scanner(System.in); int...

Recommended Articles

In the domain of Information Technology, there is always a lot to learn and implement. However, some technologies have a relatively higher demand than the rest of the others. So here are some popular IT courses for the present and upcoming future: Cloud Computing Cloud Computing is a computing technique which is used...

Read full article >

Java is the most commonly used popular programming language for the creation of web applications and platform today. Integrated Cloud Applications and Platform Services Oracle says, “Java developers worldwide has over 9 million and runs approximately 3 billion mobile phones”.  Right from its first implication as java 1.0...

Read full article >

Designed in a flexible and user-friendly demeanor, Java is the most commonly used programming language for the creation of web applications and platform. It allows developers to “write once, run anywhere” (WORA). It is general-purpose, a high-level programming language developed by Sun Microsystem. Initially known as an...

Read full article >

Before we start on the importance of learning JavaScript, let’s start with a short introduction on the topic. JavaScript is the most popular programming language in the world, precisely it is the language - for Computers, the Web, Servers, Smart Phone, Laptops, Mobiles, Tablets and more. And if you are a beginner or planning...

Read full article >

Looking for Java Training Classes?

Learn from the Best Tutors on UrbanPro

Are you a Tutor or Training Institute?

Join UrbanPro Today to find students near you
X

Looking for Java Training Classes?

The best tutors for Java Training Classes are on UrbanPro

  • Select the best Tutor
  • Book & Attend a Free Demo
  • Pay and start Learning

Learn Java Training with the Best Tutors

The best Tutors for Java Training Classes are on UrbanPro

This website uses cookies

We use cookies to improve user experience. Choose what cookies you allow us to use. You can read more about our Cookie Policy in our Privacy Policy

Accept All
Decline All

UrbanPro.com is India's largest network of most trusted tutors and institutes. Over 55 lakh students rely on UrbanPro.com, to fulfill their learning requirements across 1,000+ categories. Using UrbanPro.com, parents, and students can compare multiple Tutors and Institutes and choose the one that best suits their requirements. More than 7.5 lakh verified Tutors and Institutes are helping millions of students every day and growing their tutoring business on UrbanPro.com. Whether you are looking for a tutor to learn mathematics, a German language trainer to brush up your German language skills or an institute to upgrade your IT skills, we have got the best selection of Tutors and Training Institutes for you. Read more