This could be a basic concept but I am bit confused over it.
Guidelines tell us to regenerate the session ID after user login in order to make it usable if it is being sniffed over the network thus preventing a replay attack.
My point is that even after the session ID is regenerated it would again be stored in a user browser and if an attacker or some other person who has access to the user's system he could copy that cookie and replay in another browser to gain post login access irrespective of TLS/NON TLS connections?
is it correct to say that this kind of activity can not be prevented?
Suggestions/Views please?
Aucun commentaire:
Enregistrer un commentaire