Maybe a few people a little bit confused when they are hearing about how to prevent attack from session sidejacking, because session sidejacking cannot be anticipated in a usual way. The prevention should come from the developer or from network administrator. But for end user like me, we can do something useful to minimalize the attack to us(but not prevent it!) by cleaning our browser cookies, cache and history. But one thing you should understand, that when we clean our browser cache, doesn't mean we're already finish and no one can hijack our session, because the server still put our session cookies information. Let me draw the process below.
1. User send username and password over unencrypted network, and cracker read all the packets data across the network.
2. Server authenticate the user and judge whether the user is valid or not. If the user is valid, the server will give one unique session ID to the user.
3. The session ID will be stored on user computer(in browser) and valid until the user log out from the server, or the session ID will expire until the time determined by the server. That's why if you're inside a public network(usually hotspot), don't use the "remember me" feature from the web application, because it will make your session ID become static.
To understand this, maybe you can see the figure below.
1. User delete the browser cookies, cache and history, but he/she forget to contact the server that he already quit. The session cookies will be deleted and cleared in user computer, but not in the server.
2. Attacker still can use the session ID to act as a valid user.
It doesn't mean that when you clear your browser cache or history means that you're safe, it's not yet…but you've already do the right things, and still didn't finish it yet. Below is the step by step how to clear the browser cache in Mozilla Firefox(I really love Firefox 🙂 )
1. Click Tools –> Clear Recent History
2. You can choose which time range you want to clear, and which data you want to clear.
But if your computer is a personal computer and it's used by a lot of user(family computer), maybe you can try to manage your computer to always clear all of the cookies, history and cache everytime you closed the Firefox.
1. Click Tools –> Options
2. In the Privacy tab, you can choose "Never Remember History" if you're in a public computer, but if you're in a private computer, this option can make all of the web application asks your login information each time you visit the website. :p
I hope this tips and trick can make you clear about the session ID in your computer or in the server side.