Session IDs are data that come with cookies to identify each user to a web server. They do not last forever. After certain actions, such as logging off, session IDs expire. In a well-implemented session mechanism, session IDs are unique and unpredictable, as otherwise by guessing another user’s session ID an attacker can present himself as the other user to web server. However, this is not the only way to impersonate a user.
If an attacker can capture a valid cookie or session ID (e.g., through sniffing), then she can authenticate to the server as the other user. Most web servers use HTTPS in their login page to prevent such a session stealing attack. Unfortunately, many of them use only insecure HTTP pages after login. Using HTTP after secure HTTPS authentication creates a huge danger because session cookies are transmitted in clear in every interaction between the client and the server. Thus, securing the login page is not sufficient for complete security.
This 2-minute video (link will be added back soon) shows such a session stealing attack on the Koç University Academic Information System. Luckily, once we have discovered the attack and let the authorities know, it has been fixed. The fix was simple: just use HTTPS connection everywhere in the system.
In general, securing user data depends on the user’s habits. By not sending sensitive data when a web page uses HTTP connection, users can secure their authentication details. Yet, authentication information (i.e., username and password) is not the only confidential information. Many other details, such as the phone number or address, may also be confidential and should only be transmitted to trusted parties over HTTPS networks.
Furthermore, users should not use untrusted WiFi hotsposts for transmitting such confidential information. As seen in the video, this may each the job of an attacker who uses the same WiFi connection to access the user's credentials by sniffing the network.
Prepared by Cansın Yıldırım.