Hijacking sessions happens on a remote computer?

I am new in sessions. I read many articles, and I did not understand something. To hijack a session, does the attacker have to be on the same computer that the开发者_C百科 victim logged in on?

I mean like going in the library and you forget to logout.

Or hijacking can be made without this?

Assuming ...

• The attacker did not compromise either the client or server machine, and
• Is not listening in (either local to the client, or local to the server, or on internet core routers), or the connection is sufficiently encrypted
• The session token is sufficiently random (which you can assume for php's built-in session mechanism)
• Your website has no XSS or XSRF vulnerabilities.

... the only way to hijack a session is indeed physically using the browser the victim used before. You can configure the lifetime of the session with the session.cookie_lifetime configuration option. The default (0) advises the browser to invalidate the session as soon as the browser is closed.

It can be made in various ways.

1. Hacker can access/put a virus on the victims computer where he finds his session id.
2. He can listen to the network traffic to sniff out the cookie.
3. It's also possible (especially on shared hosting) to access the directory where session data is stored.
4. If you don't filter input data xss attacks are possible.

You can prevent some of the dangers if you encrypt your connection or session cookies and if you store user's ip/browser when he/she logs in and then check if it the request's ip matches.

Sessions are stored on the server and accessed by a Session ID, and thats a browser cookie. All the person would have to do to hijack a session is use a session ID that someone else is using. In other words, change their session cookie to that of someone else's.