Session Hijacking

[JonnoTheDev]

Ive done some research on session hijacking as customers who I am working for are asking more and more about the security of their sites. The standard security measures are always implemented i.e. prevent bad input data from requests, url manipulation, sql injection, etc, but this topic seems to be a bit of a grey area as I am not sure how this is actually tested for.

 

Lets say we have a login to a protected area of a website. Once the user logs in successfully, a session is set that may contain a user object. The object variables contain user data say firstname, lastname, etc making it easy to extract this data on each of the protected pages. Most times I will use a database session handler for user tracking purposes.

 

My question is, how exactly does someone hijack active sessions and is this something to be concerned about?

[PFMaBiSmAd]

The session id is sent back and forth between the server and the browser. If it is sent back and forth without using a https/ssl encrypted connection, then anyone monitoring data packets (such as over an un-encrypted wireless connection) can get the session id and visit your site using it and they will appear to be the actual visitor.

[JonnoTheDev]

A bit like sniffing packets from POST, GET requests, OK. I suppose it depends on what an attacker could actually get at then to determine if I wanted to use an SSL cert. Logging in to a site that allows you to upload photos to a gallery probably wouldnt be worth it but logging in to a site to get access to payment info, invoices, etc probably would.

 

Is session hijacking a common practice or is it just larger systems that people go after or dependent on what a hacker can get at?