Skip to main content


Home Session cookie

Session cookie

(also per-session cookie)

Session cookie definition

Session cookies are small text files that track users’ actions and temporarily store information about their preferences on their devices. Unlike persistent cookies, they disappear when the user logs out of the website or closes the browser. However, if they don’t receive the proper management, hackers use them as vulnerabilities to easily access users’ information. While the cookie goes from the user’s computer to the website server, hackers can gain unauthorized access by impersonating themselves as the user. Hackers use a few methods to steal sensitive information.

See also: XSS, session fixation attack

How do hackers misuse session cookies?

  • Cross-site request forgery. The hacker makes the user’s browser send a request to a website where the user has an account. The hacker may exploit the user’s session cookie in the request to perform unlawful acts on the user’s behalf.
  • Session hijacking. By intercepting the session cookie across an unprotected network or by utilizing cross-site scripting assaults, the hacker can take the user’s identity and connect to the user’s account without previously knowing their login information.
  • Session fixation. Before the user logs in, the hacker can set a predetermined value for the session ID value, which is a unique identifier that each user gets when they log in to a website. It increases the possibility of hijacking the session and stealing sensitive data.