Session hijacking occurs when an attacker gains control of a user’s active authenticated session. In most web applications, once a user has logged in successfully the application issues a session identifier (often in a cookie or token) that is used to recognise them on subsequent requests. If an attacker can obtain or reuse a token then they may be able to act as the user without knowing the password or bypassing any login controls.
Tokens may be exposed through cross-site scripting, insecure storage in browser-accessible locations (such as shared computes), interception on poorly protected connections, poor authentication implementations leading to predictable session identifiers, or weak session lifecycle controls.
Multifactor authentication, strong passwords, and account lockout controls offer little protection once a valid session has already been established and stolen. The attacker then inherits the access that the victim had, including any permissions, roles, or entitlements associated with the account. If the victim was a privileged user then the impact can be particularly severe.
An attacker with a hijacked privileged session may be able to exfiltrate data, create new users, alter payment details, or disable security controls, all while activity appears to come from a genuine user.
Session management is a standard focus area in web application penetration testing , where experienced security testers review token handling, cookie flags, timeout behaviour, re-authentication requirements, and exposure to related issues such as CSRF .