Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I can manipulate my cookies. I can forge my servserside session id for session hijacking. This is what I understood.


> I can forge my servserside session id for session hijacking. This is what I understood.

Forge this. For each session:

    session_id = bin2hex(random_bytes(32))
Yes, you can change what you send to the server. But you can't hijack another user's session in this probability space (2^-256) by blind guessing. Instead, you need another way to leak their credentials to hijack the session.


I didn't think so detailed but yes. My point was more that if you look at any technology concept, you will find vulnerabilities if it is misused.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: