What is a potentially dangerous web session management practice?
- including the session ID in the URL
- setting a cookie with the Expires attribute
- setting a cookie with the Max-Age attribute
- configuring a cookie with the HTTPOnly flag
|
Explanation & Hint: Including the session ID in the URL could be a dangerous practice that can lead to manipulating the ID or session fixation attacks. A mitigation measure is to encrypt an entire web session with HTTPS—not only for the authentication process where the user credentials are exchanged but also to ensure that the session ID is exchanged only through an encrypted channel. |