Welcome to the Treehouse Community
Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community!
Looking to learn something new?
Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.Start your free trial
Ollie Webster5,035 Points
If the session ID stored in a cookie somehow gets leaked, is it possible to hijack that session?
You mentioned that, for sessions, all a client needs to do is remember the session ID in a cookie. Is there any further verification provided on this? What if a malicious client attempted to gain access to someone else's session just by presenting their session ID?
AJ TranTreehouse Teacher
Client-side cookies can store the Session ID -- this ID is used to "look up" the actual session information which is USUALLY stored on the server-side.
Check out this resource about session hijacking which provides one really good recommendation (and several others):
Regenerate the session key after initial authentication. This causes the session key to change immediately after authentication, which nullifies session fixation attacks – even if the attacker knows the initial session ID, it becomes useless before it can be used.
Great question and I'm sorry that this didn't get answered for quite a while! I hope my answer will be helpful. :)