Session Hijacking on passportjs

Question

I'd like to know how to prevent session hijacking using passportjs, currently if I copy and paste the cookie into another browser I can has access to all the stuff.

Answer 1

Session hijacking is a kind of attack that, in this case, works by stealing session cookies (or session ids in general). Copy/pasting the cookie into another client does indeed steal the session, and this is how it's supposed to work.

The point of protecting against session hijacking is making sure that cookies can't be intercepted by a man-in-the-middle, and the best way for achieving this is using HTTPS/SSL.
Additionally, you should refresh session ids (for example using "session.regenerate"): this makes it difficult for an attacker to steal the session id and to use it before the user obtains a new one.

Aside from these basic things, there is almost nothing you can do. Protecting cookies should be a client's task, not your app's.

By the way, do not try linking the session to an user IP, as this can be incredibly frustrating for users who are connected from multiple IPs (a common thing in corporations, universities, etc). The only thing that does not have a lot of "side effects", in my opinion, is linking the session to the user agent of the browser. While this can be spoofed really easily by an attacker, it still provides a slightly more protection - something is better than nothing.

Answer 2

I don't use passport but basically there are 3 main methods for protecting cookies from being hijacked:

1. HTTPS/SSL: This prevents network snoopers from simply picking cookies off network. Cloudflare allows you to use SSL for free on your site. The 1st 1GB of the month is free and afterwards they only charge around 1 cent per GB. Heroku also offers free SSL but you have to pay a monthly fee of around $10.
2. Encrypt/Sign Cookie: This prevents people from modifying your cookies. Express cookie parser has the ability to sign cookies but it does not encrypt them. I'm not an express expert but basically you need something that implements the Secure cookie protocol. You might have to implement your own code for this.
3. Browser Validation: This is your main problem. What happens if someone copies and pastes the cookie into another browser. You can store various fingerprinting information inside the cookie (ie Browser|Browser Major Version|Processor|ISP|etc) and reject the cookie if there is a miss-match. For example if the country is different then the session should be rejected.

Example:

function validate(req, session) {
    if ( 
      getISP(req) !== session.isp ||
      getSimplifiedUA(req) !== session.ua ||
      // More tests...
    )
        return false

    return true;
}

app.use(function(req, res, next) {
    if( req.session && !validate(req, req.session) ) {
        return req.session.regenerate(function(err) {
            if ( err ) return next(err);
            req.session.isp = getISP(req);
            req.session.ua = getSimplifiedUA(req);
            next();
        });
    }

    next();
});

app.use('/', function(req, res, next) {
    // Render something...
});