← All Tips/SESSIONS
SESSIONS

Clear Your Cookies Weekly

Session hijacking is the easiest way to bypass MFA. Terminate stale sessions often.

What Is Session Hijacking?

When you log into a website, the server gives your browser a session token — a long random string stored in a cookie. Every request you make sends that token, and the server trusts it as "proof" that you're logged in.

Session hijacking is when an attacker steals that token and uses it themselves. They don't need your password. They don't need your MFA code. They just need that cookie.

How Tokens Get Stolen

  • Cross-Site Scripting (XSS): A vulnerability in the website injects malicious JavaScript that reads your cookies and sends them to the attacker
  • Man-in-the-Middle (MITM): On an unencrypted or weakly encrypted network, someone intercepts your traffic
  • Physical access: Someone with momentary access to your browser exports your cookies (tools like Cookie-Editor make this trivial)
  • Malware: Info-stealer malware harvests browser cookies from your filesystem

Why MFA Doesn't Help Here

Multi-factor authentication protects the login event. But a stolen session token bypasses login entirely — the server thinks you're already authenticated. This is why the 2FA you set up doesn't protect you from session theft.

The Fix: Terminate Stale Sessions

Weekly habits:

  1. Clear cookies for sensitive sites (email, banking, work tools)
  2. Check active sessions in your accounts (Google, Facebook, GitHub all show this) and revoke ones you don't recognize
  3. Use browser profiles — keep work, personal, and "shady" browsing separate (see the Browser Profiles tip)

For site owners:

  • Set short session expiry (15–30 min for sensitive apps)
  • Implement HttpOnly and Secure cookie flags
  • Bind sessions to IP address or user agent where feasible
  • Rotate session tokens after privilege escalation

Tools That Help

  • Firefox Multi-Account Containers — isolates cookies by container, limits blast radius
  • Cookie AutoDelete extension — auto-wipes cookies for sites you haven't visited recently
  • Privacy Badger — blocks tracking cookies at the source

Clearing cookies is low effort and high return. Make it a weekly ritual.

Get your site properly hardened.

The Voice of Cash delivers professional security audits and hands-on implementation.

Speak to a Specialist →
← Previous
Use a Passphrase, Not a Password
Next →
Disable Auto-Join Wi-Fi