1

So, i'm developing a Flask web-app and i wanted to test its security since i've implemented the following:

  • SSL Cert with cookies being securely transmitted
  • CSRF token to avoid CSRF attacks
  • Cookie validation, to avoid cookie modification
  • Cookie are httpOnly to avoid XSS

Now, in a hypothetical case in which one of my users got tricked to reveal his cookies to a malicious user, and if this user injects those session cookies to his own browser, that results on the web-app admitting the malicious user allowing him to enter the session.

I tested it with chrome and an incognito window (on the same computer), and I could hijack the session. Is there a way to prevent this? as I understand, Facebook has succesfully protected against cookie injection, but not sure about it.

1 Answers1

2

You can check for changes in the IP location of the request or user-agent info sent in request headers. This will not solve the problem 100% but can help in providing tighter security.

Also, there is another very reliable way to detect session hijacking. This method is called "rotating refresh tokens". It basically uses two tokens (access and refresh tokens) which change over time and this change allows us to detect token theft. This method is also suggested in IETF's RFC: https://www.rfc-editor.org/rfc/rfc6749#section-10.4

If you want directions towards implementing this method please have a look at this blog post: https://supertokens.io/blog/the-best-way-to-securely-manage-user-sessions