Kaspersky warns that session hijacking via cookies poses serious security risks, allowing attackers to impersonate users or steal data. The report highlights threats like XSS, session fixation, and insecure cookie settings. Strong defenses include HTTPS, Secure/HttpOnly flags, MFA, and consent management platforms (CMPs) like CookieHub to minimize cookie-based vulnerabilities.
In September 2025, web security firm Kaspersky published a warning titled “Don’t let the cookies bite: Kaspersky warns of the looming threat of web session hijacking.” They call attention to a little-appreciated cyber-risk: session hijacking via cookies.
In short: a threat actor who steals or manipulates session cookies may impersonate a user, gain unauthorized access, or perform actions on their behalf. This is one of many cookie-based attack vectors that can jeopardize privacy, data integration or even financial security.
Let’s explore what this means, what defenses exist, and how a consent management platform can help in reducing exposure.
Kaspersky reports that 87% of a random sample of websites display cookie notices, but many users aren’t aware of the deeper security risks posed by cookies.
Cookies can store session IDs, preferences, authentication tokens, or other stateful data that tie a user to a server session. If attackers steal or hijack those cookies, they may assume the user’s identity or carry out unauthorized actions.
Cookies carry state. When a site sets a cookie or similar token, the browser automatically sends it on future requests so the server knows it’s still “you”. If an attacker steals or fixes that cookie, they can impersonate you until the session is invalidated.
Some attack paths include:
Session sniffing/man in the middle attacks: over insecure connections (e.g. HTTP or poorly configured Wi-Fi networks), an attacker may intercept cookies in transit.
Cross-site scripting (XSS): malicious scripts are injected into a website and executed in the user’s browser, enabling theft of cookies.
Session fixation: an attacker tricks a user into adopting a predefined session ID, then hijacks that session after the user logs in. Kaspersky’s alert explicitly calls out fixation risks and broader cookie abuse patterns.
Academia has long documented the weaknesses in cookie-centric session auth. For example, a classic ACM paper explains why cookies are the de-facto web session mechanism and why their design makes them attractive to attackers, proposing “one-time cookies” as a countermeasure. Newer work continues to show that XSS remains widespread and automatable at scale.
This is an important wake-up call: cookies may seem mundane, but when misused or mishandled, they become potent attack vectors.
Cookie hijacking usually refers to an attacker stealing or using someone else’s cookies (session/auth cookies or tracking cookies) to impersonate or track them. Common causes:
Cookies exposed to JavaScript (no HttpOnly)
Cookies sent on insecure connections (no Secure / not HTTPS)
Cross-site scripting (XSS) that reads cookies
Third-party scripts setting or reading cookies you didn’t intend
Misconfigured SameSite settings allowing CSRF-style misuse
A consent management platform, as well as some more general best practices, can address several of these vectors by controlling which scripts and cookies are allowed to run and by producing strong consent records.
Kaspersky recommends a set of best practices: enforce HTTPS, use HttpOnly and Secure flags on cookies, apply CSRF tokens, employ cryptographically strong session IDs, encourage minimal cookie acceptance, clear cookies and cache, enable two-factor authentication, avoid HTTP or public Wi-Fi without protections, etc.
Defending against session hijacking requires a multi-layered approach. Building on security recommendations, some best practices can include:
Always use HTTPS / TLS
All cookie exchanges and sensitive requests should be restricted to encrypted channels. Use HSTS (HTTP Strict Transport Security) to avoid protocol downgrade attacks.
Set Secure and HttpOnly flags on cookies
Secure: ensures the cookie is only sent over HTTPS, not over insecure HTTP. HttpOnly: prevents JavaScript in the browser from reading or manipulating the cookie, reducing XSS-based theft.
SameSite cookie attribute
Use SameSite (e.g. Strict or Lax) to restrict when cookies are sent in cross-site contexts, reducing CSRF risk and certain cross-site leakages.
CSRF tokens / anti-CSRF strategies
Each state-changing request should carry an unpredictable token (e.g. in headers or form bodies) tied to the user’s session.
Session revalidation & expiration
Force periodic reauthentication or automatic expiration. Invalidate sessions after logout or long inactivity.
Input sanitization / XSS mitigation
Use content security policies (CSP), strict input validation, output escaping, sandboxing, and frameworks that reduce the risk of script injection.
Multifactor authentication (MFA)
Even if session tokens are stolen, MFA can act as a backup barrier.
Session binding / device fingerprinting
Combine session tokens with additional metadata (IP address range, user agent, device fingerprint) and reject sessions that deviate significantly.
This is a basic, if incomplete, list of foundational protections. But one area where web operators (site owners) often struggle is cookie management — which is where a consent management platform (CMP) like CookieHub can help.
A consent management platform (CMP) is a tool used by websites to collect, manage, and enforce user consent preferences for cookies, trackers, and other browser storage or script usage. CMPs are often used to comply with privacy regulations (such as GDPR, ePrivacy Directive, CCPA, etc.).
Beyond compliance, a well-designed CMP contributes to security and reduced exposure in several ways:
One of the core aims of a CMP is to let users opt in or opt out of categories of cookies (e.g. strictly necessary, functional, performance, marketing, targeting, analytics). By refusing non-essential cookies, sites reduce their attack surface. If a user rejects cookies, those cookies (and associated sessions/tracking tokens) are never set, removing possible avenues of compromise.
A CMP allows websites to segment cookies by purpose and by the service that sets the cookie, enabling fine-grained control. Users can categorize the cookies so only first-party session cookies are allowed.
By enforcing cookie categories and attributes systematically, the CMP can reduce the risk that less-trusted cookies become pathways for hijacking.
A robust CMP doesn’t just obtain consent once; it dynamically enforces consent state:
If a user withdraws consent, the CMP can automatically delete or disable associated cookies and scripts. Scripts or trackers that depend on cookies are disabled until consent is regranted. Consent preferences persist and are reconciled across pages, subdomains, and future sessions. This dynamic revocation is important: you don’t want “zombie cookies” lingering even after the user opted out.
CMPs often come with dashboards or logs that show what request loaded the cookie and record the consent state. That visibility helps security teams audit for anomalous or risky cookie usage or scripts.
With CookieHub there is an automatic cookie removal feature in the dashboard. Users can enable or disable this feature to enhance cookie removal. The setting is disabled by default.
Third-party scripts (advertisers, trackers, widgets) are common sources of vulnerabilities (e.g., XSS, supply-chain script compromise). A CMP can block or defer those scripts unless a user consents, minimizing the risk that malicious third-party scripts inject code to sniff or steal cookies.
While not a direct security measure, the transparency and trust engendered by a good CMP encourage users to pay attention to cookie notices, privacy settings, and consent choices. User awareness is a complementary defense: users who manage their cookies actively are less likely to inadvertently expose themselves.
If you are a website operator or developer, implementing a CMP complements your security and compliance efforts.
The humble cookie, important to many functions of modern digital experiences, can cause major trouble if misused or mishandled. Cookies give attackers a ready target for session hijacking, impersonation, or data theft. But by adopting a CMP like CookieHub, you get an additional layer of protection, limiting the attack surface around cookies.
©2025 CookieHub ehf.
