Session hijacking isn't new to computer
security. The term is most commonly used to describe the process of a TCP
connection taken over by a sequence prediction attack. In such an attack, the
attacker gains control of an already established TCP connection. When applied to
Web application security, session hijacking refers to the takeover of a Web
application session.
HTTP is a stateless protocol with its origins
in information dissemination. Clients request a particular resource, which
eventually is delivered by the server hosting that particular resource. The goal
of the World Wide Web in its early days was to provide a uniform medium of
information dissemination via HTTP and rendering of the information via HTML.
The information could also be cross-referenced by using hyperlinks. As time went
by, servers were developed with the ability to handle dynamically generated
content and execute programs that generated HTML. Soon enough, the need for
interactivity increased. Because of its ability to handle text and graphics, the
browser took the place of a universal client. Small-scale applications began to
be hosted on Web servers with the use of CGI scripting, which extended the
ability of universal participation to all Internet users who had a browser. No
longer was an underlying operating system an issue. So long as you had a
browser, you could use the application. Application development went from a
central mainframe–terminal based concept to the client-server model, and back to
the central Web server–browser based concept again.
These days, Web application servers host
complex applications, such as an entire office productivity suite. Microsoft
Outlook for the Web is an example of delivering a fully featured e-mail client
over a Web browser. Lotus Domino servers provide a Web interface that lets users
perform more or less the same tasks as can be performed via a Lotus Notes
client.
All multiuser applications embody the concept
of a user session. Each user interacts with the application via a separate user
session. The application keeps track of all who are currently using the
application via sessions. This capability is essential for segregating user
activity.
Despite rapid changes in Web server
technology, the HTTP protocol remained the same. Currently, HTTP 1.1 is still
the most widely used HTTP protocol. The greatest hurdle in designing and hosting
Web-based applications is to get around the statelessness of HTTP. There are no
standards governing how a Web-based application should provide its own
state-maintaining mechanism over HTTP. Developers tackle state
preservation in different ways. There are poor and good ways of approaching this
problem, although both approaches result in a workable application. The poor
ways of implementing session states lead to attacks such as session hijacking.