What are session IDs or session cookies ?

Talking in simple language, whenever we sign into an account it generates a unique piece of string. One copy is saved on server and other in our browser as cookie. Both are matched every time we do anything in our account. This piece of string or login session is destroyed when we click on 'Sign Out' option.

Just login to yahoo.com. Type in browser javascript:alert(document.cookie);
You would get a pop up box showing you the cookies. Now login to your account and do same thing, you would see more elements added to the cookies. These represent session ids .
Note: By saying , stealing sessions or stealing cookies, I mean the same thing. Sessions are stored in our browser in form of cookies.

 An attacker can steal that session by convincing victim to run a piece of code in browser. Attacker can use that stolen session to login into victim's account without providing any username/password. This attack is very uncommon because when the victim  clicks 'Sign out' , session gets  destroyed and attacker too also gets signed out. 

But in case of yahoo, its not the same.The attacker doesnt get signed out when victim clicks 'Sign out'. Though the session automatically gets destroyed after 24hrs  by yahoo. But when user simply refreshes the windows in yahoo account, he gets sessions for next 24 hrs. This means, once the  yahoo account session is stolen , attacker can access the account for life time by refreshing window in every 24hrs. I am not actually sure whether its 24 or 48 hrs.

Comments

Post a Comment

Popular posts from this blog

HOW TO TRACE MOBILE NUMBER , IP ADDRESS , BULK SMS SENDER , LANDLINE NUMBER ???

Image
HOW TO TRACE MOBILE NUMBER , IP ADDRESS , BULK SMS SENDER , LANDLINE NUMBER ??? Today in this post I'll tell you how can you trace   Mobile numbers, Bulk SMS sender, Pin code, Vehicle number Land  line number etc. Many of people always waste lots of time to find all these information on Internet but its worthless and time consuming,  Your Solution is  INDIA TRACE, it is a   fantastic & All in one website to trace all your needs within few seconds.    http://www.indiatrace.com/
Read more

HOW TO HACK EMAIL ACCOUNT: GMAIL, FACEBOOK, YAHOO HOTMAIL

Image
HOW TO HACK EMAIL ACCOUNT: GMAIL, FACEBOOK, YAHOO HOTMAIL Welcome to (HACKING begins - "An approach to introduce people with the truth of HACKING"),In this articles I'll tell you how can you hack email accounts like gmail, facebook, yahoo, hotmail etc.  Today i am presenting a " FUD Keylogger " Features of our new Keylogger :-     Add To Start Up also included It also Kills Task Manager Automatically Hides the virus after infecting the victim Also Disables Registry Editing Stops victim From Ending Your Keylogger's Process New Icon Changer File Binder With Fake Error Message Includes Time Interval UD You Can Use Gmail Account to get the logs How to use this new FUD Keylogger for hacking Accounts :-  Download Apolyse Keylogger  here Extract File and Open it.     Now open the Remote keylogger and enter new created Gmail account username and password) Then select the other settings as you need and donot forget to change  Time In
Read more