Session-based authentication security

Question

As far as I know, after the authentication phase, when the user has sent his username and password to the server, using basic authentication over or without https, the server send a sessionId to the client, and after that client use this sessionId for each subsequent request.

• My question here is, how can a sessionId can be secured for each request so that it can not be hijacked by a hacker ? because the sessionId is sent as cookie (form the server after the submission of the username and password) and can be easily (as far as I know if I'm right) eavesdropped.
• My second question is about grasping the difference between token-based authentication and sessionId-base authentication. I read many explanation of the difference between them but I have some trouble to understand that.

best ragards.

Answer 1

You can set the httpOnly flag to assure that the cookie cannot be read from javascript.

The secure flag can assure that the cookie can only be transported over an SSL/TLS based connection.

Answer 2

is sent as cookie and can be easily eavesdropped.

Not if it was sent via HTTPS (you have added this as a tag). Which is rather the point of HTTPS.

There are other attacks which can compromise a web session but that's a different and longer discussion.

My second question

Should have been posted as a separate question.

A session id is specifically bound to the session and can therefore reference state information beyond that required for authentication (e.g. your shopping basket) while token authentication exclusively deals with authentication.