Back

Definition
Session hijacking is when an attacker takes over a valid user session to impersonate that user. This commonly happens by stealing session tokens or cookies through methods like cross site scripting, network eavesdropping, or session fixation.

Why it matters
Once an attacker hijacks a session they can access accounts and perform actions as the legitimate user without needing credentials. Protecting session tokens and using secure session management reduces account takeover risk and data loss.

Example use case
An attacker exploits an XSS vulnerability to steal a user session cookie. With that cookie the attacker logs into the web application as the user and performs unauthorized actions, such as changing account settings or initiating transactions.