Bind the Session to Prevent Hijacking
You can also take extra measures to avoid session hijacking attacks by binding the session to various user information such as the IP address or user agent. Since the information typically doesnât change mid-use, you can use it as a way to check if the session or account has been hijacked. If the information has changed, you know the session has a high probability of being hijacked and can take appropriate steps, including destroying the session, notifying the user, and logging for further analysis.
An experienced attacker can proxy the request through the same subnet to appear as the same IP address as the victim or change the user-agent information. Binding doesnât offer absolute protection, but it ...
Get Secure Your Node.js Web Application now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
