How do I prevent session hijacking by simply copy a cookie from machine to another?

Sam picture Sam · Jun 10, 2013 · Viewed 18.4k times · Source

Most Web Applications use cookies to manage the session for a user and allow you to stay logged in even if the browser was closed.

Let's assume we did everything by the book to make sure the cookie itself is safe.

  • encrypt the content
  • set http only
  • set secure
  • ssl is used for the connection
  • we check for tampering with the content of the cookie

Is it possible to prevent someone with physical access to the machine to copy the cookie and reuse it on another machine and thus stealing the session?

Answer

Celada picture Celada · Jun 10, 2013

It doesn't make sense to "protect" against this. If this kind of copying happens, then either:

  • The end user did it on purpose because they wanted to change computers. This is, of course, not something you should care about or be concerned about.
  • An attacker has already compromised the user's browser and gotten access to the cookies stored inside. By definition this cookie is a secret that proves that the identity of the HTTP client. If the attacker already has access to it, they can already use it in any number of ways of their choosing that you won't be able to prevent or distinguish from the real user accessing the server legitimately.