In server-side session management, what does the cookie typically hold?
Session ID: the server stores session state and gives the client an unguessable identifier in a cookie. Each request sends the ID, letting the server look up the associated data securely.
2 / 5
What is session fixation?
Session fixation: an attacker plants a known session ID, the victim logs in under it, and the attacker then uses that ID. The fix is to regenerate the session ID upon successful authentication.
3 / 5
Why should a session cookie have the HttpOnly flag?
HttpOnly: prevents JavaScript from accessing the cookie via document.cookie. Even if XSS occurs, the attacker cannot directly steal the session token, reducing the impact.
4 / 5
What is the difference between idle and absolute session timeouts?
Timeouts: an idle timeout logs out users after a period of inactivity, while an absolute timeout caps total session lifetime even for active users. Using both balances security and usability.
5 / 5
Why regenerate the session ID after a privilege change (e.g., login)?
ID regeneration: issuing a new session ID at authentication invalidates any pre-set ID an attacker may have planted, directly defeating session fixation while preserving the user's logged-in state.