LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What are the best practices for handling session IDs securely?

Make IDs long and random (≥128-bit, CSPRNG), generate them server-side and regenerate after login, expire them, and invalidate on logout and password change.

Session-ID lifecycle: generate (CSPRNG ≥128-bit) → login → regenerate → expire → invalidate.

* The session-ID lifecycle — regenerating the ID on login is what defeats fixation. *

Practice Implementation Why
Long & random ID ≥128 bits entropy, CSPRNG Prevents brute-force guessing
Server-side generation Generate on successful login, regenerate after auth Prevents session fixation
Expiration Absolute timeout (8h) + idle timeout (30min) Limits exposure window
Manual logout Invalidate session server-side on logout Don't just delete client cookie
Invalidate on password change Destroy ALL sessions for that user Prevents attacker persistence

Why regenerate on login? Without regeneration, a session fixation attack lets the attacker plant a known session ID, wait for the victim to authenticate with it, then use it themselves.

See: OWASP Session Management Cheat Sheet

From Quiz: SPRG / Authentication & Session Management | Updated: Jul 14, 2026