As we discussed in earlier chapters, cookie hijacking is a technique where an attacker steals session cookies. Cookie hijacking can be defeated if your website is running SSL/TLS 3.0. Many attackers will bypass SSL/TLS by using a combination of man-in-the-middle or SSL strip attacks; however, by ensuring your web application only has secure pages, meaning not providing a HTTP to HTTPS redirection, will mitigate those forms of attack.

A common mistake regarding web application security is assuming developers secure the entire session rather than just the authentication portal to a web application. When the entire session is not secured, a user can possibly be attacked. Developers must ensure their entire application supports secure and encrypted web sessions through SSL/TLS 3.0 to avoid being vulnerable to attack.

Additional defense against cookie hijacking is available with popular Application Delivery Controller (ADC) appliances, such as load balancers and content filters. Popular vendors to consider are Cisco, Bluecoat, Riverbed, Websense, and many others. Many of these vendors change cookie flags to Secure and HttpOnly. They also have built in propriety techniques to mitigate some cross-site scripting attacks.