Rješenja
|
['Always invalidate a session ID after the user logout.', 'Setup a session time out for the session IDs.', 'Protect the communication between the client and server. For instance it is best practice to use SSL to mitigate man in the middle attack.', 'Do not code send session ID with GET method, otherwise the session ID will be copied to the URL. In general avoid writing session IDs in the URLs. URLs can get logged in log files, which are vulnerable to an attacker.', 'Encrypt the session data associated with the session ID.', 'Use multifactor authentication.']
|