Session hijacking

Session tokens (such as, JSON Web Tokens (JWT)) are used to manage user sessions securely. Each session token is unique to the user and is required to access resources during the session. For more information refer to Sessions.

Session tokens have a limited lifespan, ensuring they expire after a short period. This reduces the risk that a stolen session token can be used for an extended period, limiting the damage an attacker can do if they obtain the token. For more information refer to Sessions.

All session tokens are signed to prevent attackers from being able to modify the token, in case the token is intercepted without PingOne being able to verify that the token has been modified. This ensures that if a token is modified, it will be rejected if its digital signature doesn’t match what is expected. For more information refer to Sessions.

Session tokens are signed with cryptographic keys, ensuring that tokens cannot be forged or altered. The platform validates the token’s signature to confirm its integrity before allowing access to resources. For more information refer to Sessions.

Transport Layer Security (TLS) is used to encrypt all data in transit between users and PingOne. This prevents attackers from intercepting session tokens, credentials, or other sensitive information via man-in-the-middle attacks (commonly used to facilitate session hijacking). For more information refer to TLS and cipher suite requirements.

The Secure flag is set on all cookies, ensuring that they are only transmitted over encrypted HTTPS connections. This prevents session cookies from being intercepted over insecure connections. For more information refer to Token storage.

The HttpOnly attribute is set on cookies, preventing client-side JavaScript from accessing session cookies. This mitigates the risk of cross-site scripting (XSS) attacks, where an attacker could use injected scripts to steal session cookies. For more information refer to Token storage.

Session expiration policies are enforced that automatically terminate user sessions after a specified period of inactivity. This limits the time window during which an attacker can hijack a session, if a user forgets to log out or walks away from their device. For more information refer to Sessions.

Implement MFA for all login attempts, especially for high-privilege or sensitive operations. Even if an attacker successfully hijacks a session, MFA will require them to provide an additional authentication factor, such as a one-time passcode or biometric data, before they can gain access. For more information refer to PingOne MFA.

Use PingOne’s adaptive MFA to trigger additional authentication steps based on suspicious activity, such as access from an unfamiliar location or device. This makes it more difficult for attackers to hijack a session undetected. For more information refer to PingOne Protect.

Implement PingOne-supported FIDO2 and WebAuthn as MFA methods. These methods use public-key cryptography and hardware tokens, making it extremely difficult for attackers to steal credentials and hijack sessions, even through phishing attacks. For more information refer to Mult-factor (MFA) action and FIDO Policies.