

Ask HN: Session token stealing - dpweb

I noticed in one of the discussions on hacking Github, people were saying that the real token or session id must not be revealed to the user-agent.<p>How does this work because wouldn&#x27;t a common value have to be known between the browser&#x2F;server?
======
mschuster91
The session ID serves as a key for a server key-value storage which holds the
"session data". It carries absolutely no authentication info, unless
implemented in the client code (like an IP check).

Reading out the SID is possible e.g. with injecting a JavaScript that reads
document.cookie value.

