Where is the sessions stored?
Sessions are stored in server side & it is accessed by a unique id that is known as the session-id where each user-visitor is assigned when they access your website.
How the session-id is propagated within website?
principally, there are 2 methods either store in a cookie or propagated in the URL.
Leaking out an existing session-id to a third party is very risky if the session is filled with more important information.
There are main two methods of vulnerabilities are,
- When the session-id is carrying in URLs
If an external link from your site, a URL with the id might be stored in the external site’s referrer log.
- Active attacker might listen to network traffic
While the session-id flows over the network & if it is not encrypted an active listener might grab it. The best solution is to implement SSL & make it a must for all the users.