Can MFA prevent session token theft?

No, MFA alone cannot prevent it. Session token theft targets tokens after MFA authentication is complete, so the attack succeeds regardless of MFA type. MFA is effective against password leaks, but cookie theft by infostealers requires separate countermeasures (not saving passwords in browsers, keeping OS updated, avoiding suspicious software).

How can I check if my session cookies have been stolen?

Direct confirmation is difficult, but there are several signs: login history from unrecognized devices or locations, traces of actions you did not perform (email sending, setting changes), and "new device login" notifications from services. Check active sessions in Google or Microsoft security settings, and if anything looks suspicious, log out of all sessions and change your password.

Is it safe to regularly delete browser cookies?

Regular cookie deletion has the effect of shortening session lifetimes, but it is not a fundamental countermeasure. Infostealers steal all cookies at the moment of infection, so if deletion happens after infection, it is too late. Rather than cookie deletion, preventing infostealer infection itself (OS updates, avoiding suspicious software) and not saving passwords in browsers are more important.

How Session Token Theft Attacks Work and How to Defend Against Them

About 12 min read

There is a way to take over accounts without ever cracking a password: session token theft. If an attacker steals the authentication tokens (cookies or JWTs) stored in a browser after login, they can impersonate the victim and access services without needing the password or multi-factor authentication (MFA) at all. According to SpyCloud's 2024 report, session cookies stolen by infostealer malware increased 60% year-over-year, with approximately 22 billion cookie records traded on the dark web. Microsoft's threat intelligence team reported that session token theft was involved in 39% of enterprise attacks confirmed in 2024. This article explains the technical mechanics of session token theft attacks, reveals the reality of Pass-the-Cookie attacks that bypass MFA, and provides specific defensive measures for both individuals and organizations.

Conclusion - Authentication Defense in an Era Where MFA Alone Is Not Enough

Session token theft is an attack that succeeds even when MFA is configured. There are three key defense points. First, prevent infostealer infection (keep OS and browser updated, avoid installing suspicious software). Second, detect session anomalies (monitor for sudden changes in IP address or device). Third, regularly update passwords so that even if tokens are stolen, attackers can be locked out through session invalidation and re-authentication. Regularly update passwords on Passtsuku.com and strictly avoid saving passwords in browsers.

What Are Session Tokens?

Cookie-Based Session Management

Web applications issue session tokens to identify users after login, compensating for HTTP's stateless nature. The most common method is cookie-based session management. When a user successfully authenticates with a password and MFA, the server sends a cookie containing a session ID to the browser. Subsequent requests automatically include this cookie, and the server verifies the session ID to identify the user. In other words, whoever possesses this cookie is treated as an "authenticated user." If an attacker steals this cookie, they can reproduce the logged-in state without going through the password or MFA.

How JWT (JSON Web Token) Works

In modern web applications and SPAs (Single Page Applications), JWT is increasingly used for session management. JWT is a self-contained token that includes user information and an expiration time, eliminating the need to maintain session state on the server side. JWTs are typically stored in localStorage, sessionStorage, or HttpOnly cookies. The problem with JWTs is that once issued, they are difficult to invalidate until expiration. With cookie-based session management where the server manages sessions, destroying the session on the server immediately invalidates it, but JWTs determine validity through signature verification alone, requiring a blacklist mechanism to immediately revoke stolen tokens.

Major Attack Methods

Mass Theft via Infostealers

The most serious threat as of 2025 is session token theft by infostealer malware. Infostealers like RedLine, Raccoon, and Lumma infect PCs through pirated software, malicious ads, and phishing emails, and extract all cookies, saved passwords, and cryptocurrency wallet information stored in the browser within seconds. According to Group-IB's 2024 report, over 10 million devices were infected by infostealers in a single year, and the stolen data is sold on the dark web for as little as $10 per device. The critical point is that infostealers steal cookies that have already passed MFA authentication. No matter how strong the MFA is, once the post-authentication session cookie is stolen, the attacker can use it directly.

For technical details on session hijacking, session hijacking defense technical books (Amazon)can also be helpful.

Pass-the-Cookie Attacks - Neutralizing MFA

Pass-the-Cookie attacks import stolen session cookies into the attacker's browser, reproducing the victim's logged-in session as-is. The attack flow works as follows. First, the victim's browser cookie database file is stolen via infostealers or phishing. Next, the attacker imports the stolen cookies into their own browser (or automation tool). When the browser accesses the target service, the server receives a valid session cookie and treats the attacker as an authenticated user. What makes this attack dangerous is that it completely bypasses the authentication process. Password strength and MFA type (TOTP, FIDO2, SMS) are irrelevant. Authentication has already been completed, and the attacker simply uses the "result." Microsoft disclosed in 2024 that the Midnight Blizzard (formerly Nobelium) group used this technique to gain unauthorized access to Microsoft 365 enterprise accounts.

Theft via XSS (Cross-Site Scripting)

XSS attacks inject malicious JavaScript into web pages to steal session tokens. If a web application has an XSS vulnerability, an attacker can embed code like document.cookie to send the victim's cookies to an external server. The defense against this is the HttpOnly flag. Cookies with the HttpOnly attribute set cannot be accessed from JavaScript, preventing theft via XSS. However, even with HttpOnly, tokens stored in localStorage or sessionStorage remain accessible from JavaScript and are vulnerable to XSS. OWASP's 2024 statistics show that XSS vulnerabilities still account for approximately 18% of all web application vulnerabilities, making it a threat that cannot be ignored.

Technical Defense Measures

Token Binding and Device Attestation

The most effective technical countermeasure against session token theft is token binding, which ties tokens to devices. Google implemented a prototype of Device Bound Session Credentials (DBSC) in Chrome browser in 2024. DBSC binds session cookies to the device's TPM (Trusted Platform Module) chip, invalidating cookies when used on a different device. This means stolen cookies cannot be used on the attacker's device. Microsoft also offers token protection through Conditional Access in Azure AD (now Entra ID), which can block token usage from devices other than the one where the token was issued. However, these features are still in limited deployment as of 2025 and are not available across all services.

Session Anomaly Detection

In environments where token binding is not available, session anomaly detection becomes a critical defense layer. Specifically, this involves detecting sudden IP address changes during a session (such as switching from a Japanese IP to a foreign IP), User-Agent string changes (such as switching from Chrome to Firefox), and geographically impossible travel (such as accessing from New York 10 minutes after Tokyo), and forcibly invalidating the session. Google and Microsoft cloud services already implement this type of anomaly detection, requiring re-authentication when suspicious session usage is detected. For enterprises, analyzing session logs with SIEM (Security Information and Event Management) tools to automatically detect anomalous patterns is effective.

What Individual Users Can Do

Do Not Save Passwords in Browsers

Infostealers target passwords saved in browsers as a primary target. Chrome, Firefox, and Edge store passwords in an encrypted database, but infostealers can decrypt them using the OS credential store. Use a dedicated password manager (1Password, Bitwarden, etc.) instead of browser password storage. Dedicated password managers encrypt data with a master password that is not stored in the OS credential store, making them resistant to infostealer extraction. Generate unique passwords of 16 characters or more for each service on Passtsuku.com and manage them in a password manager.

Regular Session Checks and Logout

Regularly check the list of active sessions in the security settings of major services. For Google accounts, check "Your devices"; for Microsoft accounts, "Recent activity"; and for GitHub, the "Sessions" page. If you see sessions from unrecognized devices or locations, immediately invalidate that session and change your password. Also, after using shared PCs or cafe computers, always log out and delete browser cookies. Never check the "Stay signed in" checkbox on any device other than your own.

Keep OS and Browser Always Up to Date

Many infostealers exploit known vulnerabilities in the OS or browser to infect systems. Enable Windows Update, macOS software updates, and Chrome/Firefox auto-updates, and apply security patches promptly when released. Chrome in particular releases emergency patches within days of zero-day vulnerability discoveries, so it is important not to disable auto-updates. Also, avoid installing suspicious software and only download applications from official stores and official websites. Pirated software and cracked versions are the most common distribution channels for infostealers.

What You Can Do Right Now

Check active session lists in Google, Microsoft, and GitHub security settings and invalidate suspicious sessions
Delete all passwords saved in browsers and migrate to new passwords generated on Passtsuku.com stored in a password manager
Verify that your OS and browser are the latest version and enable auto-updates
Remove unnecessary browser extensions and review permissions of remaining extensions
Disable "Stay signed in" for important services to shorten session lifetimes

Frequently Asked Questions

Can MFA prevent session token theft?: No, MFA alone cannot prevent it. Session token theft targets tokens after MFA authentication is complete, so the attack succeeds regardless of MFA type. MFA is effective against password leaks, but cookie theft by infostealers requires separate countermeasures (not saving passwords in browsers, keeping OS updated, avoiding suspicious software).
How can I check if my session cookies have been stolen?: Direct confirmation is difficult, but there are several signs: login history from unrecognized devices or locations, traces of actions you did not perform (email sending, setting changes), and "new device login" notifications from services. Check active sessions in Google or Microsoft security settings, and if anything looks suspicious, log out of all sessions and change your password.
Is it safe to regularly delete browser cookies?: Regular cookie deletion has the effect of shortening session lifetimes, but it is not a fundamental countermeasure. Infostealers steal all cookies at the moment of infection, so if deletion happens after infection, it is too late. Rather than cookie deletion, preventing infostealer infection itself (OS updates, avoiding suspicious software) and not saving passwords in browsers are more important.

Generate passwords →