PAGE 03 - SESSIONS

SESSION MANAGEMENT &
COOKIE SECURITY

Session IDs, Cookie Flags, Hijacking, Fixation, CSRF, and Secure Defaults

Cookie Flags Common Attacks
01

SESSIONS BASICS

// SESSION ID

A session ID is a random token that lets the server connect a browser request to a logged-in user.

// SERVER STATE

The server stores account state, roles, expiry time, and other session data. The browser only carries the identifier.

// EXPIRY

Sessions should expire after inactivity, after a maximum lifetime, and immediately after logout.

02

COOKIE SECURITY FLAGS

Flag Purpose Example
Secure Sends the cookie only over HTTPS. Secure
HttpOnly Blocks JavaScript from reading the cookie. HttpOnly
SameSite Controls cross-site cookie sending to reduce CSRF risk. SameSite=Lax
Max-Age Defines how long a persistent cookie survives. Max-Age=3600 
Set-Cookie: session=RANDOM_VALUE; Secure; HttpOnly; SameSite=Lax; Path=/; Max-Age=3600

// COOKIE HEADER BUILDER

03

COMMON ATTACKS

// SESSION HIJACKING

An attacker steals or predicts a valid session token and uses it to act as the victim.

// SESSION FIXATION

An attacker forces a known session ID, then waits for the victim to authenticate with that same ID.

// CSRF

A malicious site causes a logged-in browser to send an unwanted request to another site.

// DEFENSES

Regenerate IDs after login, set safe cookie flags, expire sessions, protect state-changing requests, and monitor suspicious reuse.

04

SESSION LINKS

OWASP Session Cheat Sheet

Secure session identifiers, lifecycle, and storage.
MDN Session Management

Browser security guidance for sessions.
Burp Session Testing

Testing workflow for session vulnerabilities.
Attacking Session Management

Burp guide for session management testing.
Cookie Attribute Testing

OWASP WSTG cookie attribute checks.
Cookie Security Myths

OWASP London cookie security PDF.
Secure Cookie Attribute

OWASP community control note.
Device Cookies

Using device cookies to slow guessing attacks.
Cookie Theft Mitigation

Mitigations for stolen browser cookies.
MDN Cookies

HTTP cookie guide and examples.
MDN Cookies API

Browser extension cookie API reference.
05

PRACTICE - SESSIONS

SCORE TRACKER 0 / 0 correct
// Q1 - COOKIES
Which cookie flag prevents JavaScript from reading a session cookie?
// Q2 - ATTACKS
Which attack uses a stolen valid session token?