Session Hijacking Security

[11ack3r <11ack3r () gmail com>]

Hi Guys,

Thanks for your answers to my early post.

I saw & tested how easy it was to capture cookies over the network and
hijack sessions.

Now what's the countermeasure? Sites like yahoo.com or any from whole
lot don't use HTTPS after authentication. Is there any other technique
apart from HTTPS that they can use to ensure session hijacking is
thwarted?

How about sending one time cookies that are encrypted? Encryption will
ensure confidentiality and one timeness would mitigate replay attacks.

Is anyone aware of any non-HTTPS implementation that is more secure,
if not completely secure?

Thanks a ton

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------