Data Structure
Networking
RDBMS
Operating System
Java
MS Excel
iOS
HTML
CSS
Android
Python
C Programming
C++
C#
MongoDB
MySQL
Javascript
PHP
Physics
Chemistry
Biology
Mathematics
English
Economics
Psychology
Social Studies
Fashion Studies
Legal Studies
- Selected Reading
- UPSC IAS Exams Notes
- Developer's Best Practices
- Questions and Answers
- Effective Resume Writing
- HR Interview Questions
- Computer Glossary
- Who is Who
How to prevent session hijacking in Django?
Session hijacking or session forging is another security issue that most websites are prone to. In this article, we will know more about the attack and how to protect your website against it.
This is a wide class of attacks on a user's session data, rather than a specific assault. It has many forms and they are discussed below.
A man-in-the-middle attack occurs when an attacker intercepts session data as it travels over the network.
A cookie-forging attack is another type, in which an attacker alters the apparently read-only data saved in a cookie. Websites that have saved cookies like IsLoggedIn=1 or even LoggedInAsUser=ram have a lengthy history. Exploiting these kinds of cookies is a piece of cake.
That's why you should never trust anything stored in cookies; you never know who's been digging around in them.
An attacker can employ session fixation to deceive a user into changing or resetting their session ID.
PHP, for example, permits session identifiers to be used. These session IDs must be given in the URL (for example,http://exg.com/?PHPSESSID=gja65k02n93a32).
An attacker uses a session ID that was probably obtained through a man-in-the-middle attack to pretend to be another user.
An attacker in a shopping mall might use the shop's wireless network to capture a session cookie as an example of the first two. She might then mimic the original user by using the cookie.
When a user is tricked into clicking a link with a hard-coded session ID, that session is picked up by the user. Phishing attacks have exploited session fixation to deceive users into inputting personal information into an account that the attacker controls. He'll be able to recover the info later by logging into that account.
An attacker injects potentially hazardous material into a user's session, which is known as session poisoning. This is normally done via a Web form that the user fills out to set session data.
The above mentioned are some of the ways through which sessions can be forged. Now we will understand how to overcome the threat of session hijacking.
The solution to session hijacking
There are a few broad guidelines that can help you avoid these attacks −
Allowing session information to be included in the URL is never a good idea. The session mechanism in Django simply does not allow sessions to be included in URLs.
Instead of directly storing data in cookies, store a session ID that corresponds to session data maintained on the backend. This is handled automatically for you if you utilise Django's built-in session framework, request.session. A single session ID is the only cookie used by the session framework. The database stores all of the session data.
If you want to display session data in the template, remember to escape it.
Whenever feasible, prevent attackers from spoofing session IDs. Although detecting someone who has hijacked a session ID is nearly impossible, Django has built-in protection against a brute-force session attack. Session IDs are saved as hashes rather than sequential integers to prevent brute-force attacks, and if a user tries a nonexistent session ID, she will always get a new one, preventing session fixation.
None of those concepts or technologies protect against man-in-the-middle assaults. It's nearly impossible to identify these kinds of attacks. If logged-in users have access to sensitive data on your site, it should always be served via HTTPS.
Lastly, set the SESSION COOKIE SECURE setting to True if you have an SSL-enabled site; this will force Django to only deliver session cookies over HTTPS.
In these ways, session hijacking can be controlled and monitored.
781 Views
To Continue Learning Please Login