Quiz Entry - updated: 2026.07.14
How should session IDs be protected from exposure?
Keep the ID in a cookie (never the URL) and set the HttpOnly, Secure, and SameSite flags so JavaScript can't read it, it only travels over HTTPS, and it isn't sent cross-site.
| Protection | Why |
|---|---|
| Store in cookie (not URL) | URLs get logged, bookmarked, shared |
| HttpOnly flag | Blocks JavaScript access (stops XSS theft) |
| Secure flag | Cookie only sent over HTTPS |
| SameSite flag | Prevents CSRF attacks |
Additional measures:
- Bind session to IP/User-Agent (detect session theft)
- Validate cookie integrity server-side
- Use framework's built-in session management (don't roll your own!)
Mnemonic for cookie flags: "HSS" = HttpOnly, Secure, SameSite
Example secure cookie header:
Set-Cookie: sessionId=abc123; HttpOnly; Secure; SameSite=Strict; Path=/