Session replay is a scheme an intruder uses to masquerade as an authorized user on an interactive Web site. By stealing the user's session ID, the intruder gains access and the ability to do anything the authorized user can do on the Web site.
Session IDs facilitate user tracking for a Web site and can provide automatic authentication for future visits to that site or associated sites. The session ID can be stored as a cookie, form field or URL. Once the intruder obtains session ID data (see session prediction), he can conduct either a session replay or session hijacking attack.
A session hijacking intrusion is easily detected because it occurs while a session is in process. Because a session replay attack does not occur in real time, however, such an attack may only be discovered when the user learns he has been the victim of identity theft or some other form of fraud.
Software countermeasures capable of minimizing the threat of session replay are similar to those used for application security. Examples include:
- conventional firewalls
- application firewalls
- encryption/decryptionl programs
- anti-virus programs
- pop-up blockers
- spyware detection/removal programs.
Behavioral countermeasures include:
- frequent deletion of stored cookies and temporary files from Web browsers
- making sure that browsers do not remember passwords
- setting browsers to purge all personal data every time they are closed (if they offer this feature)
- installing updates and patches promptly when they become available
- refraining to click on links in e-mail messages from questionable sources
- avoiding questionable Web sites.