LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

How should session IDs be protected from exposure?

Keep the ID in a cookie (never the URL) and set the HttpOnly, Secure, and SameSite flags so JavaScript can't read it, it only travels over HTTPS, and it isn't sent cross-site.

Protection Why
Store in cookie (not URL) URLs get logged, bookmarked, shared
HttpOnly flag Blocks JavaScript access (stops XSS theft)
Secure flag Cookie only sent over HTTPS
SameSite flag Prevents CSRF attacks

Additional measures:

  • Bind session to IP/User-Agent (detect session theft)
  • Validate cookie integrity server-side
  • Use framework's built-in session management (don't roll your own!)

Mnemonic for cookie flags: "HSS" = HttpOnly, Secure, SameSite

Example secure cookie header:

Set-Cookie: sessionId=abc123; HttpOnly; Secure; SameSite=Strict; Path=/

From Quiz: SPRG / Authentication & Session Management | Updated: Jul 14, 2026