Cookie defense
As we discussed in earlier chapters, cookie hijacking is a technique where an attacker steals session cookies. Cookie hijacking can be defeated if your website is running SSL/TLS 3.0. Many attackers will bypass SSL/TLS by using a combination of man-in-the-middle or SSL strip attacks; however, by ensuring your web application only has secure pages, meaning not providing a HTTP to HTTPS redirection, will mitigate those forms of attack.
Tip
Cookie hijacking can work over SSL/TLS connections if attackers use cross-site scripting to send cookies to their servers. Developers can mitigate this risk by setting the Secure and HttpOnly flags on the cookies.
A common mistake regarding web application security is assuming developers secure the entire session rather than just the authentication portal to a web application. When the entire session is not secured, a user can possibly be attacked. Developers must ensure their entire application supports secure and encrypted web sessions through...
