• Regularly clear the history and offline content
  • Make sure that cookies and sessions are removed from the browser
  • Always implement https over http
  • Session key has to be a long random number or string, so that it avoids guessing of a valid session and even avoids the chances of a brute force attack
  • See that session is expired after users log out
  • Life span of the session or a cookie should be reduced
  • Clicking on unknown links should be avoided
  • Session ID has to be regenerated in order to avoid session fixation and it is not possible for the attacker

Countermeasures for Session ID Protection

  1. If implementing SSL is not possible due to a performance issue or any other reason then protect session IDs using other ways
  2. Alter the Session IDs frequently to reduce the validity of a session ID
  3. Do not include session IDs as part of URLs, as they can be cached by the browser, sent in the referer header, can be traced from the logs, or can be forwarded to a ‘friend’ by mistake
  4. Session IDs should be long, complicated, random numbers that cannot be easily guessed
  5. Modify the session IDs while switching to SSL, authenticating, or other major transitions, Never accept session IDs chosen by a user
  6. Protect the entire session using SSL. This ensures that the session ID (e.g., session cookie) cannot be stolen using man-in-the-middle attack, which is a major threat to session IDs