UrbanPro

Learn Java Training from the Best Tutors

  • Affordable fees
  • 1-1 or Group class
  • Flexible Timings
  • Verified Tutors

Search in

How to stop session hijacking programmatically ?

Asked by Last Modified  

10 Answers

Learn Java

Follow 0
Answer

Please enter your answer

IT Professional Trainer with 15 years of experience in IT Industry

Encrypting the session value will have zero effect. The session cookie is already an arbitrary value, encrypting it will just generate another arbitrary value that can be sniffed. The only real solution is HTTPS. If you don't want to do SSL on your whole site (maybe you have performance concerns),...
read more
Encrypting the session value will have zero effect. The session cookie is already an arbitrary value, encrypting it will just generate another arbitrary value that can be sniffed. The only real solution is HTTPS. If you don't want to do SSL on your whole site (maybe you have performance concerns), you might be able to get away with only SSL protecting the sensitive areas. To do that, first make sure your login page is HTTPS. When a user logs in, set a secure cookie (meaning the browser will only transmit it over an SSL link) in addition to the regular session cookie. Then, when a user visits one of your "sensitive" areas, redirect them to HTTPS, and check for the presence of that secure cookie. A real user will have it, a session hijacker will not. read less
Comments

Session Hijacking can be avoided using a secured protocol while logging into your account./session ie. using HTTPS over SSL -
Comments

UI Designer -- UI Developer -- Web Developer

HTTP is a stateless protocol. In order to track users, web applications rely on server side sessions. Two basic ways to link clients(usually browsers) to sessions are through URL rewriting and HTTP cookie. Both ways allow browsers send HTTP session id to server. URL rewriting automatically changes all...
read more
HTTP is a stateless protocol. In order to track users, web applications rely on server side sessions. Two basic ways to link clients(usually browsers) to sessions are through URL rewriting and HTTP cookie. Both ways allow browsers send HTTP session id to server. URL rewriting automatically changes all URLs and sends session id as an HTTP request parameter. HTTP cookie allows server send the session id via a cookie to client when session begins, and client keeps the cookie in memory and submits the cookie with every subsequent request. Session id is very critical to web applications. A session is associated with a logged-in user and all his/her security privileges and personal information. If an attacker gets hold of a valid session id, he can impersonate the victim and conduct damages. This is called session hijacking. Some general tips to protect sessions are: Tip #1. Turn off URL rewriting. As stated above, URL rewriting appends session id to every URL, which will be displayed in browser window, kept in browser history and can be captured by many intermediary nodes on the Internet to the application servers. Furthermore, many web sites link to third party sites for images or javascripts, and those sites could capture session id through Referrer HTTP header. So whenever possible, turn URL rewriting off. Unfortunately, Java EE Servlet specification doesn't define a unified way to control URL rewriting; you need to check your application server documentation to find a way to do it. Tip #2. Start a new session after user logs in. The ideal way for scalability and performance is to avoid using session before user logs in. If you do need to use sessions for anonymous users, after successful authentication, make sure you invalidate the old session and create a new session. Tip #3. Use HTTPS protocol for at least login process and all subsequent requests. If you follow tip #1 and #2, after login, server will send session id as a cookie to browser, and all subsequent requests from browser will contain that cookie. All these traffic must be encrypted via SSL/TLS so that no third party can intercept the session id. If you can't follow tip #2 for any reason, then you must force SSL/TLS for all your web site traffic. Tip #4. Implement a servlet filter to ensure all access for sensitive sections have valid session and user privileges. This catches any potential break-in and redirects those requests to safe public pages. Tip #5. Mark session id cookie secure and HTTPOnly. read less
Comments

JAVA Trainer with industry level knowledge

First of all let us be clear about what is Session Hijacking, session hijacking is exploitation of a valid computer session to gain unauthorized access to information or services in a computer system. Talking about HTTP or HTTPS means we are targeting HTTP protocol only. But session can be used with...
read more
First of all let us be clear about what is Session Hijacking, session hijacking is exploitation of a valid computer session to gain unauthorized access to information or services in a computer system. Talking about HTTP or HTTPS means we are targeting HTTP protocol only. But session can be used with protocols other than HTTP. Thus we need to have a generic answer. The basic of this process is encrypting the data at the sender end with the public key shared by the receiver itself, which is actually done when using HTTPS. Thus as mentioned in the query that how can we prevent session hijacking programmatically, so my solution would be that if you are working with HTTP protocol you can go for HTTPS or if you are using some other protocol you can go for secured version of the same like we do between HTTP and HTTPS. If there is no such then you can use ant public key encryption technique available in the market. read less
Comments

Trainer

Encrypting the session value will have zero effect. The session cookie is already an arbitrary value, encrypting it will just generate another arbitrary value that can be sniffed. The only real solution is HTTPS. If you don't want to do SSL on your whole site (maybe you have performance concerns),...
read more
Encrypting the session value will have zero effect. The session cookie is already an arbitrary value, encrypting it will just generate another arbitrary value that can be sniffed. The only real solution is HTTPS. If you don't want to do SSL on your whole site (maybe you have performance concerns), you might be able to get away with only SSL protecting the sensitive areas. To do that, first make sure your login page is HTTPS. When a user logs in, set a secure cookie (meaning the browser will only transmit it over an SSL link) in addition to the regular session cookie. Then, when a user visits one of your "sensitive" areas, redirect them to HTTPS, and check for the presence of that secure cookie. A real user will have it, a session hijacker will not. read less
Comments

the best answer to use SSL/HTTPS encryption for the entire web site, and you have the best guarantee that no man in the middle attacks will be able to sniff an existing client session cookie And perhaps second best to use some sort of encryption on the session value itself that is stored in your session...
read more
the best answer to use SSL/HTTPS encryption for the entire web site, and you have the best guarantee that no man in the middle attacks will be able to sniff an existing client session cookie And perhaps second best to use some sort of encryption on the session value itself that is stored in your session cookie read less
Comments

PhD in Computer Science with 15 years teaching experience

Session Hijacking can be avoided using a secured protocol while logging into your account./session ie. using HTTPS over SSL
Comments

Software Engineer

76 down vote favorite 40 Specifically this is regarding when using a client session cookie to identify a session on the server. Is the best answer to use SSL/HTTPS encryption for the entire web site, and you have the best guarantee that no man in the middle attacks will be able to sniff an existing...
read more
76 down vote favorite 40 Specifically this is regarding when using a client session cookie to identify a session on the server. Is the best answer to use SSL/HTTPS encryption for the entire web site, and you have the best guarantee that no man in the middle attacks will be able to sniff an existing client session cookie? And perhaps second best to use some sort of encryption on the session value itself that is stored in your session cookie? If a malicious user has physical access to a machine, they can still look at the filesystem to retrieve a valid session cookie and use that to hijack a session? read less
Comments

Expert Professional with 20+ year experience

test
Comments

Software Devloper

The only real solution is HTTPS. If you don't want to do SSL on your whole site (maybe you have performance concerns), you might be able to get away with only SSL protecting the sensitive areas. To do that, first make sure your login page is HTTPS. When a user logs in, set a secure cookie (meaning the...
read more
The only real solution is HTTPS. If you don't want to do SSL on your whole site (maybe you have performance concerns), you might be able to get away with only SSL protecting the sensitive areas. To do that, first make sure your login page is HTTPS. When a user logs in, set a secure cookie (meaning the browser will only transmit it over an SSL link) in addition to the regular session cookie. Then, when a user visits one of your "sensitive" areas, redirect them to HTTPS, and check for the presence of that secure cookie. A real user will have it, a session hijacker will not. read less
Comments

View 8 more Answers

Related Questions

What is an MVC and why is it important?
MVC (Model-View-Controller) is a design pattern that separates an application into three components: Model (data), View (presentation), and Controller (logic). This separation enhances code organization,...
Kirti
0 0
5
What are the advantages of learning Java?
Dear Niteen Java is one of the most widest implemented technology for programming. Not only its used to develop full fledged Software Applications, but its also used for programming devices like Set...
Niteen
0 0
6
Hi , this is Mithun Ghosh from Kolkata. I want a suggestion about the course content of teaching Java starting from core to Advanced level. Please anyone do help with a legible course content. Thanks in advance -- Thanks & Regards, Mithun Ghosh
Hi Mithun, This is AkiraITSolutions, We do provide real time training with real time employees, who ever having more than 10 years of IT Experience. For further details please feel free to reach us.
Mithun Ghosh
in java every thing is in the form of object
Everything is object is java except primitive data types like int,long etc..thats the reason its not 100 % object oriented language..
Abrar
Which is a good Java training and placement institute for a fresher in Bangalore?
I know an institute in HYderabad which is giving 100% job guarantee or 100% fee refund. They have office in bangalore also, not sure whether they are offering this program in Bangalore. Please visit their...
Raja
0 0
5

Now ask question in any of the 1000+ Categories, and get Answers from Tutors and Trainers on UrbanPro.com

Ask a Question

Related Lessons

Introduction to Course Content
Video about what we are going to learn throughout the Java Training Session .

JAVA OOPs Concepts (Object-Oriented Programming System)
JAVA OOPs Concepts (Object-Oriented Programming System) It is primarily having below crucial points. Without below essential points, we will never be able to achieve OOPs in java, PHP, C#, etc. Now let...

Software Testing
Software testing is a process of executing a program or application with the intent of finding the software bugs. It can also be stated as the process of validating and verifying that a software program...

Facebook Analytics
Assume how the Facebook application will store the millions of customer's record in real-time: facebook = { 'jose': { 'name': 'jose', 'age': 33, 'hobby': , # cricket,football 'mobile': 1111111111, 'email':...

JAVA Version History
Java Version History: There are many java versions that has been released. Current stable release of Java is Java SE 8. JDK Alpha and Beta (1995). JDK 1.0 (23rd Jan, 1996). JDK 1.1 (19th Feb, 1997). J2SE...
V

Recommended Articles

In the domain of Information Technology, there is always a lot to learn and implement. However, some technologies have a relatively higher demand than the rest of the others. So here are some popular IT courses for the present and upcoming future: Cloud Computing Cloud Computing is a computing technique which is used...

Read full article >

Java is the most commonly used popular programming language for the creation of web applications and platform today. Integrated Cloud Applications and Platform Services Oracle says, “Java developers worldwide has over 9 million and runs approximately 3 billion mobile phones”.  Right from its first implication as java 1.0...

Read full article >

Designed in a flexible and user-friendly demeanor, Java is the most commonly used programming language for the creation of web applications and platform. It allows developers to “write once, run anywhere” (WORA). It is general-purpose, a high-level programming language developed by Sun Microsystem. Initially known as an...

Read full article >

Before we start on the importance of learning JavaScript, let’s start with a short introduction on the topic. JavaScript is the most popular programming language in the world, precisely it is the language - for Computers, the Web, Servers, Smart Phone, Laptops, Mobiles, Tablets and more. And if you are a beginner or planning...

Read full article >

Looking for Java Training Classes?

Learn from the Best Tutors on UrbanPro

Are you a Tutor or Training Institute?

Join UrbanPro Today to find students near you
X

Looking for Java Training Classes?

The best tutors for Java Training Classes are on UrbanPro

  • Select the best Tutor
  • Book & Attend a Free Demo
  • Pay and start Learning

Learn Java Training with the Best Tutors

The best Tutors for Java Training Classes are on UrbanPro

This website uses cookies

We use cookies to improve user experience. Choose what cookies you allow us to use. You can read more about our Cookie Policy in our Privacy Policy

Accept All
Decline All

UrbanPro.com is India's largest network of most trusted tutors and institutes. Over 55 lakh students rely on UrbanPro.com, to fulfill their learning requirements across 1,000+ categories. Using UrbanPro.com, parents, and students can compare multiple Tutors and Institutes and choose the one that best suits their requirements. More than 7.5 lakh verified Tutors and Institutes are helping millions of students every day and growing their tutoring business on UrbanPro.com. Whether you are looking for a tutor to learn mathematics, a German language trainer to brush up your German language skills or an institute to upgrade your IT skills, we have got the best selection of Tutors and Training Institutes for you. Read more