Showing results for 
Search instead for 
Did you mean: 

Session hijacking?

New Contributor

Session hijacking?

We've had a user reporting hijacking the session successfully using droidsheep, a port of firesheep. Essentially this tool captures network traffic and retrieves session ID. Using the session ID you are then able to take over the session, without entering username/password.

We have not had time to look into this very thourougly but it looks like enabling the "Do not include session cookie in URL" prevents this security issue.

Why this setting is not enabled by default I don't know, but I higly recommend checking the setting on your SA.

I will post more information on this when we have time...

Respected Contributor

Re: Session hijacking?

it is not enabled by default because without it some browsers do not work (Firefox, for example).

When you are using this, is the source IP changing?