Session data stays on the server, no direct access by an unauthorized third party.
A possibility to gain access to a particular session is session hijacking, known in English as "Session Hijacking".
A session requires an ID. This ID is saved in a cookie by the user’s browser. Another malicious user, in possession of the victim’s computer, can simply copy this cookie to another machine and thus have access to the session opened by the victim. I mean, this is a session hijacking.
Consult by searching the site: /search?q=sequestro+sess%C3%A3o
Another way to literally steal sessions is for an intruder to gain access to the server. An experienced attacker goes straight to obvious locations where he can get valuable data. One of these locations is the folder where sessions are saved. Many programmers save sensitive data without encryption, remaining in plain text. That’s papaya sugar for a hacker to get passwords from hundreds or thousands of users.
In more crude cases there are those who save up to credit card data. Believe it or not, this nonsense happens.
Obs: SSL does not increase security, it is indifferent to this case.
"SSL does not increase security, it is indifferent to this case" exactly. For this case, SSL has nothing to do. SSL only increases security in case of data interception.
– João Paulo
Is there any way to improve security against data theft?
– Hugo Borges
click on the link present in the reply....
– Daniel Omine