During the Vulnerability Assessment and Penetration Testing (VAPT) of our Moodle website, we've identified a critical security concern: students are able to copy the session ID from their browser and use it in another browser to gain unauthorized access to an admin account. Despite enabling the HTTPOnly flag for cookies via the Moodle site administration settings and ensuring our website operates over HTTPS, this vulnerability still presents a significant risk.
Please suggest what should I do for session hijacking prevention.
If at codding level what and where can I add the code?
Thanks in advance !
Atbildot uz Varsha Pawar
Re: Session hijacking using browser session id copying
Nosūtīja Visvanath Ratnaweera —
Not a security expert but have seen this repeatedly coming up in the security forum. See for example How to prevent session hijacking in Moodle. The argument is that to hijack the hacker have to have access to a valid session ID, means he had access any way.
Either way, security findings needs to be submitted secretly. The proper place is https://moodle.org/security/report/. See this and other information published in the Security and privacy forum.