jeudi 12 février 2015

Session Hijacking through sessionId brute-forcing possible?



cookies usually contain a sessionId to keep track of a logged user.


What would prevent a malicious user to forge millions of requests with random sessionIds and send them to a server, hoping to luckily end up with an existing session Id, and therefore stealing a random session ?


The only thing that comes to mind is the fact that the number of possibilities is quite large. However it is not infinite - I would imagine that a malicious botnet owner could easily make millions of tries in a short time.


How can I, as an application developer, prevent this ?


Thanks !





Aucun commentaire:

Enregistrer un commentaire