Session hijacking is an attack where a threat actor steals, intercepts, or forges a valid session token to take over an authenticated user session without needing the user's credentials. NIST defines it as an attack where the adversary inserts themselves into the communication between a claimant and verifier after successful authentication, posing as the subscriber to control session data exchange (NIST CSRC Glossary). The technique is particularly dangerous because it renders multi-factor authentication irrelevant. The authentication (including any MFA challenge) has already completed before the hijack occurs.
Web applications issue session tokens (typically stored as browser cookies) after a user successfully authenticates. These tokens allow the application to recognize the user on subsequent requests without requiring repeated logins. Session hijacking exploits this mechanism by giving the attacker a valid token that the application trusts.
MITRE ATT&CK documents the attack across two technique entries: T1539 (Steal Web Session Cookie) covers the initial theft, and T1550.004 (Web Session Cookie) covers the use of stolen cookies to access resources.
The primary session hijacking methods include:
The core reason session hijacking is an effective MFA bypass is a timing gap. MFA protects the authentication event, but session tokens persist long after that event concludes. Cloud application session cookies often remain valid for days or weeks, even when the user is not actively logged in. Once the attacker possesses a valid token, the application treats them as the authenticated user with no further challenges.
This makes session hijacking a primary enabler of account takeover. The attacker inherits the victim's access level, including the ability to read email, modify account settings, initiate financial transactions, or move laterally to connected applications. In enterprise environments, a hijacked session to a cloud identity provider can cascade into access across dozens of integrated services.
Detection depends on identifying anomalies that indicate a session token is being used by someone other than the original user. Effective signals include impossible travel (a session active in two distant geographic locations within minutes), device fingerprint changes (the same session token suddenly appearing on a different operating system or browser), and unusual session behavior patterns such as bulk data access or permission changes that deviate from the user's baseline.
Organizations can reduce exposure through shorter session timeouts, token binding that ties cookies to specific device attributes, enforcing the Secure and HttpOnly flags on session cookies (as recommended in the OWASP Session Management Cheat Sheet), and continuous session validation that re-evaluates risk signals throughout the session lifecycle rather than only at login.