1 Executive Summary

Session hijacking is a set of cyberattack techniques that allow bad actors to take over or start authenticated, active user sessions by using valid session identifiers, URL parameters, POST data, cookies, or tokens. Session hijacking has been around for a long time; it may alternately be referred to as cookie hijacking or cookie theft. The intentions of the attackers and the results are often the same. Session hijacking has become more prevalent as an attack vector in recent years. Not only do Advanced Persistent Threat (APT) actors use it for credential access, lateral movement, and collection, but fraudsters increasingly leverage these techniques to get access to victims’ resources.

Once an attacker has a valid cookie or token, they can impersonate users on websites and in applications. Session hijacking techniques are often used (successfully) to attempt to bypass Multi-Factor Authentication (MFA). If the cookie or token is legitimate, detecting session hijacking can be difficult. APT actors use hijacked tokens to gain access to applications for which they do not have full credentials. Fraudsters use them to steal money and other assets, damage individual’s reputations, or other nefarious reasons.

Detecting session hijacking can be hard since the bad actor’s actions usually do not set off alarms, such as failed login attempts. User Behavioral Analysis (UBA) is likely the best method for detecting session hijacking. Preventing it is the most desirable approach. Some tactics for session hijacking prevention, however, may encumber users considerably.

Session hijacking is a serious enough threat that US President Biden, in an Executive Order dated January 16, 2025, directed NIST and CISA to “develop guidelines for the secure management of access tokens and cryptographic keys used by cloud service providers.”