Invalidating the cache


16-Jun-2018 10:24

If a user submits a session ID through a different exchange mechanism, such as a URL parameter, the web application should avoid accepting it as part of a defensive strategy to stop session fixation.

NOTE: Even if a web application makes use of cookies as its default session ID exchange mechanism, it might accept other exchange mechanisms too.

invalidating the cache-58

Email sexchat with mummies

If the session objects and properties contain sensitive information, such as credit card numbers, it is required to duly encrypt and protect the session management repository.

The usage of an encrypted communication channel also protects the session against some session fixation attacks where the attacker is able to intercept and manipulate the web traffic to inject (or fix) the session ID on the victims web browser [4].