← Lessons

quiz vs the machine

Platinum1820

Security

Secure Session Management

Issuing, protecting, and expiring sessions so they cannot be stolen or reused.

6 min read · advanced · beat Platinum to climb

What A Session Is

After login, the server tracks the user with a session, usually keyed by a token in a cookie. If that token is stolen or guessable, an attacker can impersonate the user, so the whole lifecycle must be hardened.

Protecting The Token

  • Generate session identifiers with a cryptographically random source.
  • Mark cookies HttpOnly to block script access and Secure to require TLS.
  • Use SameSite to limit cross site sending.
  • Regenerate the session identifier on login to prevent session fixation.

Expiry And Revocation

  • Enforce both an idle timeout and an absolute timeout.
  • Invalidate the session server side on logout, not just by clearing the cookie.
  • Bind sessions loosely to context and watch for anomalies like sudden location changes.

Key idea

Secure sessions use random tokens in hardened cookies, regenerate on login, and expire and revoke server side to prevent theft and reuse.

Check yourself

Answer to earn rating on the learn ladder.

1. Why regenerate the session id at login?

2. What does the HttpOnly cookie flag do?

3. How should logout invalidate a session?