Results 1 to 3 of 3
Nov 17, 2009, 15:09 #1
- Join Date
- Nov 2007
- Malaga, Spain
- 4 Post(s)
- 0 Thread(s)
session hijacking prevention with tokens, what am i missing here?
i am researching session hijacking, so far i have read this line of code 5 times (or variations of it)
the idea behind it seems that if i add a token (unpredictable value) to the session, that then a session hijacker that stole my session (cookie theft for example) will not be authenticated because his token is incorrect.
now as far as i understand, session data is stored within the server, and only the session id is stored on the client (usually in a cookie), so if this cookie is stolen, then the hijacker will automatically inherit the token rendering its (the token's) protection useless...
what am i missing here?!?!?