Session Hijacking
Stealing an active authenticated session token to gain unauthorised access to a victim's account without needing their password.
Also known as: cookie hijacking, session token theft, TCP session hijacking
Last reviewed: 1 June 2026
When you log into a website, the server issues a session token — a unique identifier stored in your browser — to track your authenticated state. Session hijacking involves an attacker capturing this token so they can replay it from their own browser, impersonating you without ever knowing your credentials.
Capture methods include intercepting traffic on unsecured networks (especially non-HTTPS sites), cross-site scripting (XSS) attacks that inject JavaScript to steal cookies, malware that reads browser session storage, and man-in-the-middle attacks on public Wi-Fi. Once a valid session token is obtained, the attacker has full access to the victim's account for as long as the session remains valid.
Defences include enforcing HTTPS everywhere, using 'HttpOnly' and 'Secure' cookie flags (preventing JavaScript access and unencrypted transmission), short session timeouts, IP-binding for high-value sessions, and implementing Content Security Policy headers to mitigate XSS. Users should log out of sensitive accounts after use and avoid using important accounts on public networks.
Examples
- An attacker on the same public Wi-Fi intercepts an unencrypted session cookie and uses it to access the victim's webmail account.
- A malicious script injected via XSS sends session cookies to a remote server, granting the attacker persistent account access.