Can session value be hacked?

When I came out of a site without logging out, next time i browse that site I found I am logged in the开发者_运维知识库re? How that server restore the session value for my browser? Is there any chance to be hacked in this process? Can that restored session value be stolen by others? please share your concept about this. thanks in advance

In all technologies I'm aware of web-based session values are stored on the remote server. So, to hack your session values would require hacking the remote-server. What you are encountering is the fact that your session identifier is stored in a cookie (a session cookie), so that when you re-open your browser the cookie is being used to identify you and provide access to your remote session. Normally session cookies have a short TTL (time to live) before they expire and log you out, but if not then explicitly logging out should clear it. If you are really worried you can delete your cookies.

What you are seeing is the result of a cookie being stored with your browser to hang on to that session information. Can it be hacked? Depends on the site/application, but no more than it could be if you hadn't closed your browser.

Depending on whether the server checks the IP address trying to use the token (probably a cookie, but doesn't have to be) against the one that logged in, it might be possible for a thief to use that cookie to gain access to your account.

A well-designed site will not only cause sessions to time-out but also restrict them to a single IP address (and browser user-agent, etc).

As others have noted this is the cookie on your machine.

The way to "hack" it would be to gain access to your machine and then take a copy of the cookie. Or take a copy of the cookie while it is being sent to the browser.

To guard against this you could:

• Send the cookie to the client over https.
• Do not store the cookie on disk (a cookie without a timeout will be stored in memory)

Locking a session to a single ip address, can cause problems, if your users are coming from a network with 2 proxy servers.

It uses cookies, a text-string your browser keeps on behalf of the site, either for a set time-limit, or till you close your browser.

Log out if it's a concern. Obviously, if someone else uses the same computer shortly after you they'd be able to use the site logged in as you. Always explicitly log out from public accessible computers.

you would have to sniff his traffic and stole his cookies. Then if he doesn´t log out, (so the server do not invalid the cookies), you could log in with them

The cookie usually is a session id that connects to a session database on the website's server; however, there are some cookies where most details are in local storage and are normally accessed through JavaScript or an identification key on the server. Most cookies can't be hacked, because you would need to decrypt the cookie by using a key which is normally on the server and then get remote access to the session database.