Computerz R Us — Cyber Security Division | Session Hijacking + Always-Logged-In Apps Defense

Practical, real-world guidance (users + websites)

Stop session hijacking and protect apps that stay signed in.

Session hijacking is when an attacker steals a session cookie or auth token and uses it to act as the user. Always-logged-in apps (phone apps, Outlook, social apps) often use refresh tokens that keep access alive until you revoke sessions.

Reality: Changing a password alone may not kick out active sessions. You need “Sign out everywhere”, remove unknown devices, and revoke connected apps/tokens.

Security Readiness Audit

Set status for each control (no checkboxes). Download your report anytime.

Score (0 of 0 points)

Critical: 0 • High: 0 • Medium: 0

Done: 0 • In progress: 0 • Not started: 0

Updated: —

Scoring: Done = 2 pts • In progress = 1 pt • Not started = 0 pts

Organization / Client Name (optional)

Audited By (optional)

Notes (optional)

Recommended next steps

Updates automatically based on what’s “Not started” or “In progress”.

Fast takeaways

Best overall: Use passkeys and/or a hardware security key (Yubico/YubiKey) for Google/Microsoft/YouTube admin accounts.

Duo Mobile users: avoid “push fatigue” — approve only logins you started, and prefer stronger methods (keys/passkeys) for admins.

If suspicious: end sessions everywhere, remove unknown devices, revoke connected apps, and check mail rules/forwarding.

Common takeover path: phishing → malicious download/extension → token/session theft → takeover until sessions revoked.

How session hijacking happens (common paths)

🧨 XSS (Cross-Site Scripting)

Web app risk

If an attacker can run JavaScript inside your site (unsafe HTML rendering, vulnerable input, compromised scripts), they can steal tokens in JS storage or perform actions as the user.

Defense: output escaping + CSP + eliminate inline scripts + reduce 3rd-party JS trust.

📡 Network interception / downgrade

Stops with HTTPS

If your site allows HTTP or mixed content, cookies/tokens can leak on unsafe networks or via downgrade tricks.

Defense: HTTPS everywhere + HSTS + remove mixed content.

🎣 Phishing + malicious extensions/apps

User + admin risk

Malicious downloads/extensions/apps often steal sessions/tokens, leading to account takeover.

Defense: minimize extensions/apps, separate admin profile, revoke sessions quickly if suspicious.

Purpose of Yubico / Security Keys (why they matter)

Reference: Yubico Security Keys

Hardware keys for phishing-resistant MFA / passwordless sign-in

🛒 Purchase Yubico Keys ↗

What it is: Yubico makes hardware security keys (“YubiKeys”) used for phishing-resistant MFA and passwordless sign-in.

What it blocks: stolen passwords, fake login pages, OTP interception, and many MFA social-engineering attacks.

Best practice: Use two keys (primary + backup). Assign keys to admin/creator accounts first.

Remember: If a session is already hijacked, you still must end sessions and revoke connected apps.

🧷 Security key vs passkey (simple)

Quick compare

Passkey: stored on a device (phone/PC), unlocked by biometrics/PIN, phishing-resistant.
Security key: stored on a physical key (USB/NFC), typically strongest for admins and highest value accounts.
Smart setup: passkeys for daily use + security key(s) for admin/creator and as a backup method.

Duo Mobile (Duo Security) — what it does + how to use it safely

Duo Mobile is a multi-factor authentication (MFA) app used by businesses (VPN, Microsoft 365/SSO, admin portals, etc.). It commonly uses push approvals and/or codes to confirm it’s really you signing in.

What Duo protects: your login. Even if an attacker knows the password, they still need your approval (or device).

Where users get tricked: “Push fatigue” — attackers spam prompts hoping someone taps Approve.

Golden rule: If you didn’t start the login, tap Deny. Then change password and investigate immediately.

Best Duo habits: biometric phone lock, keep Duo updated, and use stronger methods (keys/passkeys) for admin accounts.

Session hijack note: MFA can be bypassed if an attacker steals an existing session token/cookie.

So the combo is: Strong MFA + browser/device hygiene + ability to end sessions fast.

✅ Duo Mobile safety checklist

Do these

Never approve unexpected push prompts (deny + report).
Keep your phone locked with biometric + strong PIN, short auto-lock.
Enable remote wipe (Find My / Find My Device).
Review and remove unknown devices/sessions after suspicious prompts.

🧯 If you get spammed with Duo prompts

Response

Tap Deny.
Change password from a known-clean device.
End sessions / sign out everywhere for that account.
Check connected apps, email rules/forwarding, recovery settings.
Notify IT/security (business environments).

Reason: repeated prompts often mean someone already has your password and is trying to get an approval.

Passkeys, Security Keys, and Biometric Security (what to use)

For high-value accounts (Google, Microsoft, YouTube, business admin logins), the strongest practical login protection is: Passkeys and/or a hardware security key (FIDO2/WebAuthn).

🔐 Passkeys (biometric/device-based)

Recommended

What it is: Passwordless sign-in using your device + biometric/PIN.
Why it helps: Bound to the real site and your device; fake login pages are far less effective.
Examples: Windows Hello, Face ID/Touch ID, Android screen lock passkeys.

Best practice: Use passkeys daily + keep a backup device or backup key.

🧷 Hardware security keys (FIDO2/WebAuthn)

Strongest for admins

What it is: A physical key (USB/NFC) that proves it’s really you.
Why it helps: Highly resistant to phishing and “push fatigue” tricks.
Pro move: Keep two keys — primary + backup stored safely.

📲 If you must use MFA codes

Fallback

Prefer authenticator apps or passkeys over SMS.
Never approve prompts you didn’t start.
Enable alerts for new device logins.

Avoid: SMS when possible for high-value accounts.

Protecting apps that stay logged in (iPhone, Android, Outlook, social apps)

🔁 Refresh tokens & device sessions

Why they persist

Apps commonly use short-lived access tokens + long-lived refresh tokens stored on the device. As long as the refresh token stays valid, the app can keep you signed in for weeks/months.

Defense: lock the device + keep it clean/updated + revoke sessions if suspicious.

📱 Your phone security becomes your account security

Big deal

If the phone is stolen while unlocked, apps are “you”.
If the phone is infected, tokens can be harvested or actions can be performed as you.
Attackers also persist via OAuth/connected apps even without stealing tokens.

Defense: short auto-lock + biometric + strong PIN + remote wipe + passkeys/keys for accounts.

Browser safety checks (Firefox, Chrome, Edge, Safari)

🧩 Extensions hygiene

High impact

Remove extensions you don’t fully trust (especially “download helpers”, “coupon”, “free VPN”).
Separate admin accounts into a clean browser profile with minimal extensions.

🌐 Chrome / Edge settings to check

HTTPS + cookies

Enable HTTPS-first / “Always use secure connections” where available.
Limit third-party cookies (allow exceptions only when required).
Keep browser updated.

🦊 Firefox settings to check

Privacy + HTTPS

Enable HTTPS-Only Mode.
Enhanced Tracking Protection: Strict (if it doesn’t break needed sites).

🧭 Safari settings to check

Cross-site tracking

Keep “Prevent Cross-Site Tracking” enabled.
Keep iOS/macOS updated (Safari fixes land via OS updates).

Best practice: For admin accounts, keep admin browsing separate from daily browsing and use passkeys/security keys.

Cookie Sessions: Allow vs Disallow (and the security warnings)

Most logins rely on session cookies (or tokens) to remember that you already authenticated. Blocking cookies can protect privacy, but it can also break sign-in or cause repeated logouts.

Recommended default:
✅ Allow cookies for the site you’re signing into (essential/first-party)
⛔ Block third-party cookies (tracking) unless a specific business app requires them

Warning:
If you block all cookies or always clear cookies on exit, many sites (Google, Microsoft, YouTube, banking) may not stay logged in and can fail MFA flows.

🍪 What cookies matter for sessions?

Basics

Session cookies: often disappear when the browser closes. Commonly used to keep you logged in.
Persistent cookies: stay until they expire. Often used for “Remember me” and device trust.
First-party cookies: set by the site you’re on. Usually required for sign-in.
Third-party cookies: set by other domains (ads/analytics/embedded services). Higher privacy/tracking risk.

Security warning: If a session cookie/token is stolen (malware, malicious extension, XSS), an attacker may “be you” without knowing the password until you end sessions.

✅ “Allow” vs “Disallow”: what to pick

Quick rules

Allow cookies (at least for that site) if you need to sign in and stay signed in.
Block third-party cookies for better privacy and less cross-site tracking.
If a business app breaks: add a site exception instead of turning everything on globally.
For admin accounts: use a separate browser profile with minimal extensions and tighter settings.

Don’t “fix” security by blocking everything. It often causes unsafe workarounds. Use targeted exceptions and stronger auth (passkeys/keys).

🧯 Symptoms of bad cookie settings (and what to do)

Troubleshooting

Constant logouts / loops: cookies blocked, “clear on exit” enabled, or strict tracking protection breaking SSO.
MFA never completes: cross-site/third-party restrictions interfering with identity provider flows.
Fix: allow first-party cookies, block third-party, then add a site exception only if needed.
If suspicious activity: don’t just clear cookies — also end sessions from the account security page.

🧭 Browser settings: where to check (Chrome/Edge/Firefox/Safari)

Do this

Chrome / Edge
• Privacy & security → Cookies
• Block third-party cookies (recommended)
• Use site exceptions for required business apps

Firefox
• Settings → Privacy & Security
• Enhanced Tracking Protection: Standard/Strict (test business apps)
• Manage Exceptions if a legit app breaks

Safari (macOS/iOS)
• Settings → Privacy
• “Prevent Cross-Site Tracking” (recommended)
• If SSO breaks, try a site exception path in the app/provider

Extra warning (admin accounts):
Avoid “random cookie cleaners” and questionable privacy extensions. They can cause login instability or become a session theft risk themselves.

Bottom line: Allow first-party cookies, block third-party cookies, and harden your account with passkeys + hardware security keys.

How to end all sessions and logins (universal playbook)

If someone stole a session cookie/token or an app refresh token, they may still be logged in even after a password change. The fix is to terminate sessions and remove persistence.

Do this from a known-clean device (or a fresh browser profile) if you suspect your main device/browser is compromised.

✅ Universal steps (works for almost any account)

Do these first

Change password (unique, long, stored in a password manager).
Sign out everywhere / end all sessions (Security → Devices/Sessions).
Remove unknown devices and revoke their sessions.
Revoke connected apps/OAuth access you don’t recognize.
Check recovery options (email/phone), remove anything unknown.
Check mail forwarding / rules (classic persistence move).
After control is regained: add passkeys/security keys and tighten Duo settings where applicable.

🧼 Device cleanup (so you don’t get re-hijacked)

Stops repeat

Remove suspicious apps/extensions.
Update OS + apps + browser.
If compromise repeats: use a different device, then consider a clean OS reinstall.

Important: If malware remains, it can steal the new session again.

Audit controls (set status)

Choose: Done, In progress, or Not started. This drives your score + report + recommended next steps.