|
|
|
|
|
|
by jbotdev
973 days ago
|
|
|
The post glossed over how exactly they detected session hijacking. They mentioned “This detection looks for suspicious sessions appearing without an authentication event that are consistent with session hijacking.”, but authentication obviously happened at some point, otherwise the session wouldn’t exist. I’m guessing this is a complicated way of saying the IP changed since login. Of course the easiest solution is you shouldn’t voluntarily share HAR files for an active session. |
|
|
> *Indicators of Compromise*
> ...
> Okta activity for a user without any clear indication that the user authenticated (e.g. a user.session.start event for that user from a similar geographic area)