- In Java, session tracking is done with the help of Cookies, URL Rewriting, Hidden Fields, Session Objects, etc.
- Improper session management results in disclosure of the users’ identity by stealing passwords, keys and session tokens
- Attacker compromises a session by obtaining a session token either through stealing or predicting and gains access to the webserver
- Session IDs should be long, complicated, random numbers that cannot be easily guessed
- A URL with a session tracking parameter can be easily used to steal the session
07.Secure Coding Practices for Session Management
Cheng® 