Session highjacking is the exploitation of a valid computer session in order to gain unauthorized access to information or services available on a computer system. It refers to the interception of a session identifier (“session ID”) used to authenticate a user to a remotely located server.
A session ID is a data string used in network communication to identify a session, which is a series of related messages exchanged between two parties. A secure session is often required between parties for communication that needs to be secure. To achieve a secure session, the parties may employ a cryptographic protocol such as transport layer security (TLS) or secure sockets layer (SSL). Such sessions require the use of a handshake procedure during which the two communicating parties are identified, and at least an encryption key is agreed upon. A session ID is also selected or calculated. With these cryptographic protocols, the session ID is used to avoid unnecessary handshakes on new connections, in order to simplify communication between the parties. A session ID also identifies encryption and decryption keys used by the parties. The parties may often be a browser operated by a user and a remote server. A session ID is typically provided to the browser upon login to a website hosted by the server. Once logged in, the session ID is included in subsequent messages sent during the session. This identifies the browser to the server during the session. If an unscrupulous party obtains the session ID, that party can purport to be the user as messages transmitted to the server and including the valid session ID may be accepted by the server as being from the true user. The unscrupulous party may then be provided with access to privileged information of the user, or may even be allowed transact whilst purporting to be the user. The encryption and decryption keys used by the parties may also be visible to the unscrupulous party, further simplifying communication to them.
Attempts have been made to curb session highjacking, including by data encryption, lengthened session identifiers, session key regeneration after login, dynamic session identifiers that change after each request sent to the web server, and the like. According to the applicant's knowledge, these attempts have been only partially successful.
The preceding discussion of the background to the invention is intended only to facilitate an understanding of the present invention. It should be appreciated that the discussion is not an acknowledgment or admission that any of the material referred to was part of the common general knowledge in the art as at the priority date of the application.