Session Hijacking: They Don’t Need Your Password

You have a strong password. You enabled two-factor authentication. You use a password manager. You did everything right.

None of it matters. The attacker doesn’t need your password. They don’t need your 2FA code. They need your session token — the cookie or JWT that your browser sends with every request after you log in. Steal that token, and they are you. Full access. No authentication challenge.

This is session hijacking. It is the most direct path to account takeover, and it bypasses every authentication mechanism that only checks credentials at login time.

How session hijacking works

After you authenticate — entering your password, completing 2FA — the server creates a session token and sends it to your browser. This token is proof that you already authenticated. Your browser sends it with every subsequent request, and the server grants access based on the token alone.

An attacker who obtains this token can use it from any device, any location. The server sees a valid token and grants access. The authentication happened. The token is the proof. There is no second check.

Cookie theft via MITM

On a compromised network — evil twin, ARP poisoning, or rogue AP — the attacker intercepts HTTP traffic and extracts session cookies. Even with HTTPS, SSL stripping can downgrade the connection and expose cookies in transit.

Cross-site scripting (XSS)

A single XSS vulnerability in a web application allows JavaScript to read the session cookie and send it to the attacker. The httpOnly flag prevents this for cookies, but many applications store tokens in localStorage or sessionStorage, which are fully accessible to JavaScript.

Malware and browser extensions

Malicious browser extensions can read all cookies for all domains. A single compromised extension — and there are hundreds of documented cases — can exfiltrate every session token in your browser simultaneously.

Token leakage via logs and referrers

Session tokens placed in URL parameters (still common in older applications) leak through browser history, server logs, proxy logs, and HTTP Referer headers. The attacker doesn’t need network access — they need access to any system that logged the URL.

Why session hijacking bypasses 2FA

Two-factor authentication protects the login event. It does not protect the session that login creates. Once you complete 2FA and receive a session token, the token carries full access with no further authentication required.

A hijacked session token is a post-authentication artifact. It represents a completed authentication. The server has no mechanism to distinguish between the legitimate user presenting the token and an attacker presenting the same token from a different device.

2FA is a gate. Session tokens are the key you receive after passing through the gate. If someone copies your key, they never need to go through the gate. The gate is irrelevant.

The token lifetime problem

Most session tokens live for hours or days. Many live for weeks. Some never expire:

• Gmail: Session tokens persist for months unless explicitly revoked
• GitHub: Personal access tokens have configurable expiry, often set to 90 days or “no expiration”
• AWS: Session tokens from STS last up to 12 hours by default
• Most SaaS apps: “Remember me” cookies typically last 30 days

A stolen token that lives for 30 days gives an attacker 30 days of full access. Every minute of that token’s lifetime is attack surface.

How ZK Proven prevents session hijacking

ZK Proven fundamentally changes the session model. Instead of a single long-lived token, every session uses continuously rotating ephemeral keys with cross-session nullifiers.

200ms ephemeral key rotation

ZK Proven sessions generate a fresh CRYSTALS-Dilithium keypair every 200 milliseconds. Each key is used for exactly one proof interval and then cryptographically destroyed. A captured key is valid for at most 200ms — and by the time an attacker could use it, it has already expired and been replaced.

Compare this to traditional session tokens that live for days. ZK Proven reduces the token lifetime by a factor of 432,000x (30 days / 200ms).

Cross-session nullifiers

Every proof interval generates a unique nullifier — a cryptographic value derived from the session state at that specific moment. If a stolen key is presented from a different device, the nullifier chain breaks. The server sees a discontinuity in the nullifier sequence and terminates the session immediately.

The nullifier is bound to the device’s behavioral entropy. A different device has different hardware timing characteristics, which produces a different entropy stream, which produces a different nullifier. The stolen key is mathematically unable to produce the correct nullifier from a different device.

Session binding to hardware

ZK Proven’s hardware attestation proof ties each session to the specific hardware security element (TPM, Secure Enclave) of the device. An attacker presenting a stolen token from a different device fails the hardware attestation. The session is invalidated.

What happens when a token is stolen

Without ZK Proven: The attacker uses the token. The server sees a valid session. Full access granted. The attack continues for the remaining lifetime of the token — potentially weeks.

With ZK Proven:

1. The attacker captures a key from the current proof interval.
2. The attacker attempts to use the key from their device.
3. The nullifier chain breaks because the attacker’s device produces different behavioral entropy.
4. Hardware attestation fails because the attacker’s device has a different TPM/Secure Enclave.
5. The session is terminated — both the attacker’s and the original user’s.
6. The original user re-authenticates from scratch. Fresh keys. Fresh nullifiers. Fresh session.

Total exposure time: under 200 milliseconds. The attacker accessed nothing.

The InfoStealer epidemic

InfoStealer malware — Raccoon, RedLine, Vidar, Lumma — specifically targets browser session cookies. These tools extract every cookie from every browser profile on the infected machine and upload them to a command-and-control server. The stolen cookies are sold in bulk on dark web marketplaces.

In 2025, over 10 million sets of stolen cookies were available for purchase. Each set potentially grants access to email, banking, cloud infrastructure, and corporate SaaS applications.

Traditional defenses against InfoStealers focus on preventing the malware from running. But prevention fails — regularly. When it fails, the stolen cookies provide persistent access for as long as the tokens remain valid.

With ZK Proven, stolen cookies expire in 200ms. Even a successful InfoStealer extraction produces tokens that are worthless by the time they reach the attacker’s server.

Stop trusting tokens

Session tokens are trust cached in a cookie. ZK Proven replaces cached trust with continuous proof. Every 200 milliseconds, the session re-proves itself. Steal the proof — it’s already expired.