

Advanced Session Hijacking - colund
https://scotthelme.co.uk/advanced-session-hijacking/

======
nickthemagicman
Ive noticed a lot of public wifis are putting each host in its own
vlan/subnet. Would that inhibit this?

~~~
rwbhn
Yes. The attack is limited to the layer 2 broadcast domain, so if you put
everyone in their own l2 domain this attack won't work.

------
diafygi
The picture at the top of the article insinuates that this can see sessions
inside https requests, but I can't find anything in the article on the
specifics of that. How can you find the session cookie if the request uses
TLS?

~~~
Terr_
Not sure. Perhaps the session-ID is when the user hits an HTTP landing page
(and captured then) and the server reuses it when forwarditng/linking them to
HTTPS content?

You could set the "secure" flag on the cookies so that the browser only
repeats them to HTTPS endpoints, but that won't help if the original header to
_set_ the cookie is sent out over HTTP.

