What is session hijacking?
Session hijacking is a cyberattack in which a threat actor takes control of an authenticated user session by stealing the session token – the credential issued by a web application after successful login that allows the user to remain authenticated without re-entering their password. Unlike credential theft, session hijacking operates after authentication has already occurred. An attacker presenting a valid session token appears identical to the legitimate user, bypassing multi-factor authentication entirely.
This distinction matters because it closes the gap that MFA was designed to fill. A stolen password can be stopped by a second factor. A stolen session token has already passed the second factor – it represents a completed, verified authentication. The attacker isn’t breaking into the account; they’re continuing a session that was legitimately opened by someone else.
How does session hijacking work?
Web applications maintain user sessions through tokens or cookies stored in the browser. These are issued after authentication and presented with every subsequent request to identify the user to the server. Attackers acquire these tokens through several methods:
- Cookie theft via infostealer malware: Malware installed on a victim’s device extracts session cookies directly from browser storage. Stolen cookies are packaged into stealer logs and sold in criminal markets within hours of infection. A buyer who imports that cookie into their own browser is immediately authenticated as the victim – no password or second factor needed.
- Adversary-in-the-Middle (AitM) attacks: A phishing proxy interposes itself between the victim and a legitimate authentication page. The victim completes authentication – including any MFA step – but the proxy captures the resulting session cookie before the victim’s browser stores it.
- OAuth and token theft: In cloud and SaaS environments, OAuth access tokens and refresh tokens function similarly to session cookies. Stolen tokens grant persistent access to cloud resources, APIs, and connected applications.
- Cross-site scripting (XSS): Malicious scripts injected into web pages can read session tokens from browser memory and exfiltrate them to attacker-controlled infrastructure.
Session hijacking as a growing threat actor technique
Session hijacking continues to evolve due to the increasing reliance on web applications and online services, coupled with advancements in attack methodologies. Moving towards passwordless authentication like passkeys has shifted the attention of threat actors from targeting credentials to targeting cookies that can bypass MFA, enabling access to already-authenticated sessions.
Why session hijacking is an escalating enterprise risk
Every cloud service – Microsoft 365, Salesforce, Okta, Google Workspace – maintains persistent sessions that are high-value targets. The shift to cloud and SaaS has expanded the attack surface significantly: each application issues its own session tokens, and a single infostealer infection on one employee device or a successful phishing attack can expose authenticated sessions across dozens of enterprise platforms simultaneously.
Session hijacking as part of the identity threat landscape
Understand how session hijacking fits into the broader identity threat landscape, including how often exposed session cookies appear in criminal markets.
Detecting and preventing session hijacking
Effective session hijacking prevention requires controls at both the authentication and post-authentication layers. Short session lifetimes, device-bound tokens, and anomaly detection for token reuse from unexpected IP addresses or device fingerprints reduce exposure.
At the enterprise scale, monitoring darknet markets and infostealer log channels for exposed session cookies tied to employee accounts provides early warning of compromise before attackers can act. SpyCloud’s Session Identity Protection detects exposed session cookies and automates invalidation across connected enterprise applications – closing the exposure window before stolen tokens can be used.
How SpyCloud helps prevent session hijacking
SpyCloud Session Identity Protection alerts security teams when users’ stolen cookies are detected as a result of infostealer malware infections, facilitating session invalidation before criminals can misuse a stolen cookie or browser fingerprint. The service is instrumental in preventing account takeover (from authentication sidestepping) by addressing the exploitation of stolen browser sessions. Even an expired cookie can be useful as a signal of an infected user whose account can be monitored for suspicious behavior.
FAQs
Yes. Multi-factor authentication protects the authentication step – verifying that the person logging in is who they claim to be. Session hijacking attacks after authentication has already been completed, targeting the session token that represents a verified identity. An attacker with a stolen session cookie can access the account without triggering any MFA challenge because, from the application’s perspective, they are presenting the result of a completed authentication. A 2025 Microsoft analysis found that 80% of MFA bypass incidents involved session token abuse, not credential compromise.
Credential theft targets a user’s username and password – the information used to start an authentication. Session hijacking targets the session token issued after authentication has already occurred. The key operational difference is that a stolen credential can be stopped by MFA; a stolen session token has already passed MFA. Both attack types frequently co-occur: infostealer malware typically captures both credentials and session cookies from an infected device simultaneously, giving attackers multiple pathways to account access.