Firesheep是新。会话劫持已经存在，只要Web应用程序已经使用会话ID。通常，黑客通过在地址栏中输入以下内容来设置自己的Cookie： javascript：document.cookie ='SOME_COOKIE'。这个工具是为脚本小子恐惧1行JavaScript。

Firesheep is nothing new. Session hijacking has been around for as long as web applications have been using Session IDs. Usually hackers just set their own cookie by typing this into the address bar: javascript:document.cookie='SOME_COOKIE'. This tool is for script kiddies that fear 1 line of JavaScript.

如果您在会话的整个生命周期内都不使用HTTPS，则Cookie可能会被盗用，这是OWASP A9 - 传输层保护不足。但您也可以使用XSS劫持会话。

Cookies can be hijacked if you don't use HTTPS for the entire life of the session and this is a part of OWASP A9 - Insufficient Transport Layer Protection. But you can also hijack a session with XSS.

1）使用

1) Use httponly cookies.

2）使用安全Cookie （可怕的名称，但它是一个标志，强制浏览器使Cookie仅HTTPS。）

2) Use "secure cookies" (Horrible name, but it's a flag that forces the browser to make the cookie HTTPS only.)

3）扫描您的Web应用程序的XSS。

3) Scan your web application for XSS.

也不要忘记 CSRF ！ （Firesheep不处理。）

Also don't forget about CSRF! (Which Firesheep doesn't address.)