Let’s first discuss this in very simple terms. Whenever we login into our account, it generates a unique string that contains the path of automatic login for a particular time. After that limited time passes, it expires by itself.
Note: its life is only up to when your web browser is open. If you close your web browser, this will be deleted (this has a recent upgrade in the cookie’s field that provides more security).
Now this unique string, or “Magic Cookie,” is stored in two places. The first copy is stored on the server (which we cannot do anything about) and the second is stored in our web browser in the form of a cookie.
This cookie is destroyed by three ways. First when you close your web browser, second when you sign out of your account, and third if you leave your account idle for more than 20 minutes.
As I said above, this tutorial is for hacking Yahoo email account. In your web browser, open yahoo.com and login into your account.
After that, type the below code exactly as is and press enter:
Now a popup box will appear showing the cookies something like this:
Create one fake account on yahoo.com and login to that account and retrieve the cookie in the same manner, and notice the changes in session ID’s.
For hacking the session cookies we first need the session cookies of the victim, which are quite simple to obtain. You just need to send him one link; as soon as he clicks on it we will get his session cookie.
After hacking the session cookies, we can use stolen session cookie to login into victim’s account even without providing the username and password – as I already explained, session hacking removes the authentication on the server as we have the AUTO LOGIN cookie. In this type of attack, when victim signs out, the hacker will also sign out. But in the case of Yahoo, things are a little different. When victims sign out, the attacker still has access to his account. Yahoo maintains the session for 24 hours and then destroys the session ID’s from its server.
1. Go to any Free Web hosting server website which supports PHP and register.
Note:You can try this attack by using two browsers. Sign into a yahoo account on one browser and run the code. Then sign in through another browser using stolen session.