[aeon10]

I've noticed this too. Alot of ecommerce sites use HTTP for browsing. I assume this is because of speed. However I dont see why the session cannot be hijacked? If i copy all of the cookies how will the server differentiate the hijacker from the user. They both have the same cookies.

[aioprisan]

Cookies can be encrypted and changed with every page load, verifying sessions server-side. Session tokens can expire on every page or x-seconds and re-issued by the server.

[rythie]

I think you just need one HTTPS only cookie (Amazon seems to have two) and just check that one (in addition to the others) at purchase time, since that one can't be stolen.

However, the sign in button is served from a insecure page, so a ISP could MITM that and get your password anyway.

[aioprisan]

it's easier to just hijack DNS anyways

[velis_vel]

> If i copy all of the cookies how will the server differentiate the hijacker from the user. They both have the same cookies.

If you set the cookies to be HTTP-only then you can't get at them from malicious JS.