By Gil Vidals, , HIPAA Blog, Resources

Session hijacking is the use of a valid computer session to gain access to otherwise prohibited parts of a computer system. Specifically, session hijacking refers to the use of a cookie to authenticate a user to a network that is breached. In this way, the attacker can use that cookie to trick the server into believing that he is actually the regular user.

Most modern computer systems are vulnerable to session hijacking attempts because they communicate using a standardized protocol to identify users.

For example, one method an attacker might use is called a Session Fixation attack. A Session Fixation attack is when an attacker manually sets the session id to something he knows and tricks the victim into entering their login credentials. The attacker might initiate this by sending a malicious email to the victim, with a link to a specific session. Once the user logs in, the attacker can pretend to be him by using the same session id.

HIPAA Vault has several layers of security that prevent session hijacking attacks. One layer involves requiring communication with a server to be through ssh. The built-in security protocols that ssh provides are enough to prevent most session hijacking attempts.

In addition, HIPAA Vault provides its own ssl-VPN that users must be connected to when communicating with the server. This makes it almost impossible to impersonate an authenticated user because it adds an additional requirement – above the session id – to establish the connection.

Avatar photo

Gil Vidals is the president and CTO of HIPAA Vault. He is a passionate, subject matter expert on HIPAA compliance and the healthcare cloud, and co-host of the HIPAA Vault podcast. Since 1997, Gil’s mission has been to provide uncompromising and affordable HIPAA compliant hosting solutions to commercial and government clients, helping protect their sensitive health information from data breaches and security vulnerabilities. HIPAA Vault has been recognized as an Inc. 5000 company and a Clutch Top B2B company. He can be reached here on Linkedin.