So, i'm developing a Flask web-app and i wanted to test its security since i've implemented the following:
- SSL Cert with cookies being securely transmitted
- CSRF token to avoid CSRF attacks
- Cookie validation, to avoid cookie modification
- Cookie are httpOnly to avoid XSS
Now, in a hypothetical case in which one of my users got tricked to reveal his cookies to a malicious user, and if this user injects those session cookies to his own browser, that results on the web-app admitting the malicious user allowing him to enter the session.
I tested it with chrome and an incognito window (on the same computer), and I could hijack the session. Is there a way to prevent this? as I understand, Facebook has succesfully protected against cookie injection, but not sure about it.