Session Hijacking: Definition & Examples

Instructor: Beth Hendricks

Beth holds a master's degree in integrated marketing communications, and has worked in journalism and marketing throughout her career.

Session hijacking involves a third party intercepting communication between two others without their knowledge. In this lesson, you'll learn more about this term and how cookies and man-in-the-middle attacks are involved.

Who's In the Middle?

Peggy is pretty excited because she's found her perfect home and is closing on it next week. This week, she is finalizing the sale of her condo to its new buyers, the Smiths. Peggy's lawyer emails her and asks her to send him her bank account number. He explains that he needs the information so that the proceeds from the sale can be transferred into her account in anticipation of her own closing the following week. Peggy immediately fires off her account information in an email back to the attorney.

Unbeknownst to her or her lawyer, cybercriminals are hard at work to steal Peggy's proceeds. Using what looks like Peggy's own email account, they send a second email to her attorney asking him to change the account where the funds will be deposited. The attorney sees nothing amiss and gladly obliges. Now, Peggy's $74,000 is in the account of the cybercriminals and she is hopelessly out of luck.

That sounds pretty awful, doesn't it? It's an example of what is known in the computer world as a man-in-the-middle attack. Essentially, it means that cybercriminals become the unknown ''man in the middle'' in the communication between Peggy and her lawyer, twisting the communication to their own benefit. It's just one type of session hijacking, the subject of our lesson here. Let's get into it in a little more detail.

Attacks From the Middle

From the criminal's standpoint, they operate as the man in the middle on these types of attacks, without the knowledge of either legitimate party. Think of it like eavesdropping on a conversation. That's exactly what man-in-the-middle attackers do, intercepting communications transmitted over the internet and then targeting your sensitive information to their benefit. This can happen via email or even while surfing the web.

Have you ever gotten what looked like a mostly legitimate email from a financial institution asking you to log into your account to confirm some critical piece of information? Most likely, the email includes a link the sender wants you to click ... except you start noticing small clues that makes the whole thing seem ''off.'' You are not addressed by name, for example, or the name of your bank is spelled wrong.

Most likely, this was an attempt at a man-in-the-middle attack. The sender (the man in the middle, not your bank) was trying to send you to a fake website designed to look like your bank in an attempt to hijack your personal data. (This example also highlights attempts at a phishing attack from the man-in-the-middle sender.)

Man-in-the-middle attacks are considered a type of session hijacking.

What is Session Hijacking?

It sounds pretty scary, right? Session hijacking? It's perhaps a little less frightening than a physical attempt at hijacking, but no less devastating. Session hijacking, like a man-in-the-middle attack, occurs when a cybercriminal ''hijacks'' the session you have established online.

For example, you visit a retailer's website, prepared to make a purchase. The website asks for your log-in credentials, a user name and password. You enter the information, creating a ''session'' that is identified with a unique session ID. When you finalize your purchase and log off, the session is closed.

The work of a cybercriminal occurs while your session is open. He or she intercepts the connection between you and the retailer and can either monitor your activity (like entering a credit card) or remove you from the session and take complete control.

To unlock this lesson you must be a Member.
Create your account

Register to view this lesson

Are you a student or a teacher?

Unlock Your Education

See for yourself why 30 million people use

Become a member and start learning now.
Become a Member  Back
What teachers are saying about
Try it risk-free for 30 days

Earning College Credit

Did you know… We have over 160 college courses that prepare you to earn credit by exam that is accepted by over 1,500 colleges and universities. You can test out of the first two years of college and save thousands off your degree. Anyone can earn credit-by-exam regardless of age or education level.

To learn more, visit our Earning Credit Page

Transferring credit to the school of your choice

Not sure what college you want to attend yet? has thousands of articles about every imaginable degree, area of study and career path that can help you find the school that's right for you.

Create an account to start this course today
Try it risk-free for 30 days!
Create An Account