Quiz Entry - updated: 2026.07.14
What are the best practices for handling session IDs securely?
Make IDs long and random (≥128-bit, CSPRNG), generate them server-side and regenerate after login, expire them, and invalidate on logout and password change.
* The session-ID lifecycle — regenerating the ID on login is what defeats fixation. *
| Practice | Implementation | Why |
|---|---|---|
| Long & random ID | ≥128 bits entropy, CSPRNG | Prevents brute-force guessing |
| Server-side generation | Generate on successful login, regenerate after auth | Prevents session fixation |
| Expiration | Absolute timeout (8h) + idle timeout (30min) | Limits exposure window |
| Manual logout | Invalidate session server-side on logout | Don't just delete client cookie |
| Invalidate on password change | Destroy ALL sessions for that user | Prevents attacker persistence |
Why regenerate on login? Without regeneration, a session fixation attack lets the attacker plant a known session ID, wait for the victim to authenticate with it, then use it themselves.