Welcome to the Treehouse Community
The Treehouse Community is a meeting place for developers, designers, and programmers of all backgrounds and skill levels to get support. Collaborate here on code errors or bugs that you need feedback on, or asking for an extra set of eyes on your latest project. Join thousands of Treehouse students and alumni in the community today. (Note: Only Treehouse students can comment or ask questions, but non-students are welcome to browse our conversations.)
Looking to learn something new?
Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and a supportive community. Start your free trial today.
Ollie Webster5,035 Points
If the session ID stored in a cookie somehow gets leaked, is it possible to hijack that session?
You mentioned that, for sessions, all a client needs to do is remember the session ID in a cookie. Is there any further verification provided on this? What if a malicious client attempted to gain access to someone else's session just by presenting their session ID?
AJ TranTreehouse Teacher
Client-side cookies can store the Session ID -- this ID is used to "look up" the actual session information which is USUALLY stored on the server-side.
Check out this resource about session hijacking which provides one really good recommendation (and several others):
Regenerate the session key after initial authentication. This causes the session key to change immediately after authentication, which nullifies session fixation attacks – even if the attacker knows the initial session ID, it becomes useless before it can be used.
Great question and I'm sorry that this didn't get answered for quite a while! I hope my answer will be helpful. :)