First of all, session hijacking is a technique that steal the cookies from authenticated user, and lie to the server that you’re the authenticated user.

I’m going to show an example on how to get into the facebook account.

Assumption: I already have the authenticated cookies on my hand.

1. Open facebook.com with Firefox

I still think that Firefox is the best browser ever for developer.

Firefox - facebook login page

You can see the Facebook login page now. Now I need to import the cookies into here.

But before that, please download Advanced Cookie Manager plugin fo Firefox.

2. Import the cookies to facebook.com

Firefox plugin: Advanced cookie manager

Go to Manage Cookies menu, select “facebook.com” in the Domain there. Now you can see a few cookies here.

See the box I highlighted? Facebook use https, so httpOnly choose false, isSecure choose true and isSession also true. These are session cookies.

Advanced cookie manager with all session cookies

Now will be like this.

3. Successful login

Refresh the page, and now…

Successful login

DONE!

Summary

The concept is like you want to go to foreign country, but you don’t have a passport. Now you steal/get the passport from someone (ignore the passport photo, just an example here). Now you tell the custom that you’re actually the someone, and you’ll get pass.