Quiz Entry - updated: 2026.07.14
What are the two main attacks on sessions?
Session hijacking = stealing a victim's existing session ID; session fixation = planting a known session ID on the victim, then using it after they log in.
* Hijacking steals an existing session ID; fixation plants a known one and rides it once the victim logs in. *
| Attack | Description | Direction |
|---|---|---|
| Session Hijacking | Stealing a session ID from a victim's system | Attacker ← Victim |
| Session Fixation | "Planting" a session ID into a victim's system | Attacker → Victim |
Session Hijacking methods:
- XSS to steal cookies
- Network sniffing (if not HTTPS)
- Malware on victim's machine
Session Fixation: Attacker creates a session, tricks victim into using it, then hijacks the authenticated session.
Go deeper:
Session hijacking (Wikipedia) — how a live session ID gets stolen (XSS, sniffing) and the countermeasures.
Session fixation (Wikipedia) — the plant-then-ride attack and why regenerating the ID on login defeats it.