Abstract

HTTP is a stateless application layer protocol. However, most web applications require a mechanism to manage access rights, localization settings or status for every user over a duration of multiple requests. Various mechanisms of managing sessions have been proposed with cookie based unique session ID being the most popular. In this paper, we show that despite using TLS/SSL, major e-commerce websites such as Amazon, eBay, Flipkart, Snapdeal and Alibaba, including search engines like Bing and Baidu are vulnerable to session hijacking via cookie stealing. We also show that this vulnerability exists because of poor implementation of session management standards.