The attacker who skips the login entirely

Most account-security advice is about the login: pick a strong password, turn on MFA, watch for credential stuffing. All of it matters, and all of it guards a single moment — the instant a user proves who they are. But authentication happens once, and then something quieter takes over: a session token, handed to the browser so the user does not have to re-prove themselves on every click. That token is the thing an attacker actually wants, because it is a bearer key. Whoever holds it is treated as the user, and it asks for no password and no second factor to be honored.

This is the uncomfortable gap. You can do everything right at the door and still be compromised through the key that gets minted after the door opens. A stolen session lands the attacker past the MFA prompt the user already answered, which is precisely why it is such a prized target — it is authentication laundered into access.

How a session gets stolen

The token lives in the browser and travels with each request, so it can be lifted from several places at once:

  • Cross-site scripting. If an attacker can run JavaScript on your page, they can often read the session and exfiltrate it. This is one more reason the security headers and content-security policy that blunt XSS are session-defense controls, not just cosmetic hardening.
  • Malicious browser extensions and infected endpoints. An extension with page access, or malware on the laptop that is now the perimeter, can read cookies and local storage straight from the browser — no network interception required. The token walks out the same door the user walked in.
  • Interception on the wire. A missing or misconfigured certificate, a downgraded connection, a hostile network — any of these can expose a token in transit, which is why TLS everywhere and certificate hygiene is part of the same story.
  • Phishing that harvests the session, not the password. Modern adversary-in-the-middle phishing kits proxy the real login, let the user pass MFA, and pocket the resulting session cookie. The victim genuinely logged in; the attacker simply kept a copy of the key.

The common thread: none of these require the password. They all steal the artifact minted after the password.

Shrink the window the token is worth stealing

You cannot make a session impossible to steal, so the goal is to make a stolen one worth as little as possible. That is mostly about time and scope:

  • Keep sessions short and re-validate. A token that expires in hours is a far smaller prize than one good for weeks. Idle timeouts and absolute lifetimes turn a stolen session into a brief window instead of a standing invitation.
  • Bind the token to context where you can. Tie the session to signals that are awkward to forge in bulk, so a token replayed from a new device or an impossible-travel location looks wrong instead of welcome.
  • Mark cookies HttpOnly and Secure. An HttpOnly cookie cannot be read by page JavaScript, which closes the most common XSS-to-theft path outright; Secure keeps it off unencrypted connections. These are the same small, high-leverage response-header decisions as the rest of your header baseline.
  • Make logout and password-reset actually kill sessions. A revoked password should invalidate the sessions minted under it. If a user resets after a scare and their old session keeps working, you have handed the attacker a grace period — the exact gap that turns a near-miss into a breach.

A hijacked session leaves fingerprints

The good news is that a stolen token, used by someone who is not the user, tends to behave in ways the real user never would — and those anomalies are watchable in the log and detection pipeline you already run:

  • The same session from two geographies at once, or a jump between them faster than a plane flies — a single token being used in two places is a strong signal it has been copied.
  • A device or user-agent that does not match the one the session was minted on, or a sudden shift mid-session.
  • A privilege pattern that does not fit the person — a session that starts browsing normally and then reaches for admin functions or bulk data export is behaving like a hijack, not a workday.

Each of these is a finding with an owner and a clock, ranked by what the session can reach: a hijacked admin session touching production is a five-alarm event, and a read-only session on a low-value app sits behind it under the same exposure-first triage as everything else.

Prove the door closes when someone leaves

Session discipline is also an audit story. When an employee is offboarded or a vendor relationship ends, "we disabled the account" is not the same as "we killed their live sessions" — and an assessor reviewing your access controls will ask which one you actually did. Being able to show that revocation is immediate and complete, and that anomalous sessions are caught and closed, is exactly the kind of artifact that drops into continuous evidence collection.

One honest caveat: a platform can watch for the signals of a hijacked session — an impossible-travel token, a mismatched device, a session reaching for things the user never touches — surface each as a tracked finding, and keep that evidence current for an auditor. It organizes, watches, and proves the work. It does not by itself expire your tokens, mark your cookies, terminate a stolen session, or grant or guarantee any certification; the session configuration, the revocation-on-offboarding, and the response are operational steps your team owns, and which breach-notification obligations a stolen session triggers is a question for counsel.

You can guard the login perfectly and still lose the account through the key minted after it. Shorten the session, bind it to context, kill it on logout and offboarding, and watch for the tell-tale signs that a token is being used by someone who is not its owner. The attacker who never had to log in is counting on nobody watching the session after the door closed.