Hubbry Logo
Login sessionLogin sessionMain
Open search
Login session
Community hub
Login session
logo
7 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Login session
Login session
Login session
View on Wikipedia
from Wikipedia
login screen

In computing, a login session is the period of activity between a user logging in and logging out of a (multi-user) system.

On Unix and Unix-like operating systems, a login session takes one of two main forms:

  • Where an X display manager is employed, a login session is considered to be the lifetime of a designated user process that the display manager invokes.

On Windows NT-based systems, login sessions are maintained by the kernel and control of them is overseen by the Local Security Authority Subsystem Service (LSA). winlogon responds to the secure attention key, it requests the LSA to create login sessions on login, and terminates all of the processes belonging to a login session on logout.

See also

[edit]

Further reading

[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Login session

View on Grokipedia
from Grokipedia
A login session, also known as a logon session, is a session that begins when a user successfully authenticates to a system—typically via credentials such as a username and password—and ends when the user logs off, the session times out due to inactivity, or the system terminates it for security reasons. In operating systems like systems, a login session encompasses the period from until logout, often bound to a specific (physical or virtual) such as a terminal or SSH connection, and is managed by services like to track user activity and resource usage. Login sessions are fundamental to multi-user environments, enabling secure resource allocation, process isolation, and auditing of user actions across operating systems including Windows and . In Windows, the Local Security Authority (LSA) maintains logon sessions to associate user identities with tokens that control access to system resources, ensuring that privileges persist only during the active session. Similarly, in Unix systems, login sessions integrate with Pluggable Authentication Modules (PAM) to handle authentication, session opening, and closing, logging events in files like /var/log/wtmp for historical tracking. Effective management of these sessions prevents unauthorized access, with features like idle timeouts and session limits configured via system policies to mitigate risks such as . In web applications, login sessions extend this concept to stateless protocols like HTTP by using server-side mechanisms—such as session IDs stored in or —to maintain user state across multiple requests, allowing persistent without re-entering credentials. This form of session management is critical for security, as vulnerabilities like or fixation attacks can expose user data if not addressed through practices like attributes (e.g., HttpOnly and Secure flags) and short expiration times. Overall, robust login session handling underpins user privacy, compliance with standards like GDPR, and defense against common threats in both local and networked computing environments.

Definition and Fundamentals

Definition

A login session in computing refers to the duration of authenticated user activity in a multi-user system, commencing upon successful authentication (login) and concluding upon de-authentication (logout), during which the user gains authorized access to system resources and services. This temporal state enables secure, controlled interaction with the system, encompassing all processes and activities performed under the user's credentials within that period. The concept of the login session originated in the 1960s with early systems designed for multi-user mainframe environments, such as the (CTSS) developed at MIT in 1961–1963, which introduced mechanisms for users to remotely connect via terminals and authenticate for shared computing resources. It evolved through systems like , initiated in 1965 as a collaborative project by MIT, , and , to manage concurrent access in large-scale, networked setups during the 1960s and 1970s. Although personal computing shifted focus in later decades, login sessions remain fundamental in server-based and networked environments for enforcing and . A login session differs from a user account, which represents a static, persistent identity comprising credentials, permissions, and profile stored in the system, independent of active use. It also contrasts with a , defined as an individual instance of a running program or task that operates within the broader session context but lacks the overarching authenticated scope. Thus, the login session emphasizes the dynamic, time-bound authenticated state that binds multiple processes to a single user interaction. The session lifecycle typically includes initiation via , ongoing maintenance, and eventual termination, as explored in subsequent sections.

Key Characteristics

A login session is fundamentally stateful, maintaining a persistent record of user context—including status, permissions, and preferences—across successive interactions without requiring re-authentication for each action. This statefulness enables seamless continuity in user activities, such as retaining access rights to files or applications initiated early in the session. Login sessions possess temporal boundaries, typically enforced through maximum duration limits, inactivity timeouts, or deliberate logout actions to mitigate risks from prolonged exposure. A core attribute is the , a generated upon initiation to track and validate the session's legitimacy throughout its lifespan. Additionally, sessions operate within a specific scope, distinguishing between local access (e.g., direct console interaction) and remote access (e.g., via network protocols), which influences and controls. Systems generally support multiplicity, allowing multiple concurrent login sessions for a single user or across numerous users simultaneously, with built-in isolation mechanisms to ensure that activities in one session do not affect others. In environments, this isolation is achieved through session structures comprising process groups, preventing signal or between unrelated sessions. Similarly, in Windows, logon sessions use unique identifiers to segregate access to window stations and other objects, safeguarding against interference. Login sessions associate with specific system resources to facilitate user operations, including environment variables that encapsulate session details like the user's and shell configuration, which persist for the session's duration. The session also links to the user's initial , typically set to their folder upon , and access tokens or equivalent credentials that define permissible actions on files, processes, and network resources. These associations ensure that resource utilization aligns with the authenticated user's profile without global spillover.

Session Lifecycle

Initiation

The initiation of a login session begins with the process, where a user provides credentials to verify their identity. Common credentials include usernames paired with passwords, such as fingerprints or facial recognition, or digital certificates. The system then verifies these credentials against a stored database, such as /etc/shadow in systems for hashed passwords or a like LDAP for enterprise environments. This verification typically involves hashing the provided password with a salt and comparing it to the stored hash, ensuring secure handling without exposing secrets. Upon successful , the system creates a new session by generating a unique session identifier, often a random string or token with at least 64 bits of produced via a to prevent guessing attacks. This identifier is associated with a that includes the user's privileges, such as user ID (UID) and group memberships, along with environment setup like the and default shell from configuration files like /etc/passwd. In network protocols like Kerberos, this may involve issuing a ticket-granting ticket encrypted with a for subsequent service access. The session ID's is crucial for , as it binds the session to the authenticated user without revealing sensitive . Login sessions can be initiated through various types, including interactive logins where users directly input credentials at a local console or terminal; non-interactive logins, such as those triggered by scripts, batch jobs, or automated processes without user intervention; and remote logins via protocols like SSH for command-line access or RDP for graphical desktops. If fails due to invalid credentials, the login attempt is rejected, preventing session creation, and the system logs the event for purposes, including details like , username attempted, and source IP to detect patterns of abuse. Verifiers implement rate-limiting, such as capping failed attempts at 100 per account to mitigate brute-force attacks, after which further attempts may trigger temporary lockouts.

Maintenance

Once a login session is active, its maintenance involves preserving the user's state to ensure continuity of access and functionality. This preservation typically tracks user-specific data, such as preferences, tokens, or application states like a in web applications or command history in terminal sessions. Such state is maintained through mechanisms like in-memory storage for transient data, file-based persistence for durability across restarts, or database records for scalable, shared environments. For instance, in web contexts, session objects bind user data to a unique session identifier, allowing seamless retrieval across requests. Inactivity detection is a core aspect of session maintenance to balance and , employing timers to monitor idle periods without user interaction. Systems often implement idle timeouts, ranging from 2-5 minutes for sensitive applications to 15-30 minutes for general use, triggering warnings or automatic session suspension to prevent unauthorized access from unattended devices. Renewal mechanisms, such as token refresh on periodic activity, extend session validity without requiring re-authentication; for example, short-lived access tokens can be refreshed using longer-lived refresh tokens if activity is detected. These server-side enforcements ensure that sessions do not persist indefinitely, reducing exposure to risks like . Concurrency handling addresses scenarios where users may attempt multiple simultaneous sessions, such as from different devices, to prevent conflicts and enforce access limits. Mechanisms include organization-defined caps on concurrent sessions per account, often limited to 1-2 for administrative or high-security contexts, achieved by invalidating prior sessions upon new logins or blocking additional ones. techniques, like checking active session counts via APIs before granting access, ensure data consistency and avoid race conditions; for example, refresh token registries can track and revoke excess sessions to maintain a single active device limit. This approach mitigates risks such as account sharing while allowing legitimate multi-device use under controlled policies. Monitoring active sessions involves logging key events and metrics to detect anomalies and support auditing, without delving into platform-specific implementations. General practices include recording activity timestamps for events, session usage, and resource consumption, such as CPU or tied to session processes, to build timelines of user behavior. Tools facilitate this by correlating session identifiers with logs, enabling detection of unusual patterns like rapid session creations or IP changes; for instance, hashed session IDs are logged alongside timestamps to trace lifecycle events while preserving . This ongoing ensures proactive maintenance and compliance with standards.

Termination

Login sessions can be terminated explicitly by the user through an action such as selecting a logout button in a web interface or issuing a logout command in a terminal, which invalidates the session identifier and clears associated state information on the server side. This process ensures that the session token is immediately rendered unusable, preventing further access without re-authentication. In systems following NIST guidelines, explicit logout triggers the erasure or invalidation of session secrets both on the server and, where applicable, on the client endpoint. Implicit termination occurs automatically due to predefined conditions, including inactivity timeouts where the session expires after a period of no user activity—typically ranging from 15 minutes in high-security environments like banking to up to an hour in less sensitive applications—or overall session lifetimes that cap the total duration post-authentication. System events such as shutdowns or idle thresholds can also end sessions, while forced revocation may be initiated by administrators for reasons, such as detecting or responding to account , thereby immediately disconnecting all active sessions for the affected user. Upon termination, cleanup processes reclaim system resources, including and file handles allocated to the session, and invalidate any stored to prevent lingering access. Servers typically log the termination event, recording the end time and reason for and compliance purposes, while session history may be retained as required by regulations like those in the . Post-termination, users must re-authenticate to establish a new session, and no prior session remains accessible, ensuring that authenticated resources are protected from unauthorized reuse.

Sessions in Operating Systems

Unix-like Systems

In systems, the login process begins with the getty daemon, which manages terminal lines and presents a login prompt to users on physical consoles or virtual terminals. Upon entering a username, getty invokes the /bin/ program, which prompts for a password and verifies credentials using Pluggable Authentication Modules (PAM), a flexible framework that allows authentication via various backends such as /etc/passwd, LDAP, or Kerberos. If authentication succeeds, login updates the system's utmp/wtmp logs, sets the effective user ID (UID) and group ID (GID) for the new process, and executes the user's default shell, typically /bin/bash or /bin/sh, thereby initiating the interactive session. A login session in these systems is structured as a session—a collection of one or more process groups sharing a common controlling terminal, with the login shell serving as the session leader. The controlling terminal, which may be a physical device (e.g., /dev/tty1) or a pseudo-terminal (e.g., /dev/pts/0 for SSH connections), handles input/output multiplexing, job control, and signal propagation for all processes within the session. Process groups within the session are identified by a process group ID (PGID), and only the foreground process group receives input from the terminal, ensuring orderly interaction in multi-process environments like shells running background jobs. This structure, defined in POSIX standards, enables robust isolation and management of interactive environments. Active sessions can be monitored using several standard commands. The who utility lists currently logged-in users, displaying details such as username, terminal device, login time, and idle duration, drawing from the utmp file for real-time information. The w command builds on this by showing additional activity metrics, including the user's host of origin, CPU load, and currently running processes via integration with ps. In modern distributions employing , the loginctl tool offers enhanced introspection, allowing users to list sessions with commands like loginctl list-sessions, which reveals session IDs, associated users, seats (e.g., graphical or console), and states (active, closing, or online), facilitating administrative oversight of multi-user environments. To support multi-user operations, systems enforce isolation through unique user identifiers (UIDs), numeric values assigned to each account that govern , file permissions, and access, preventing unauthorized interference between users. During session termination—triggered by commands like exit or logout—the shell broadcasts a signal to all es in the session's process groups, prompting child processes to terminate gracefully and release resources, which helps maintain system stability and security in shared environments. This signal handling is a core mechanism, ensuring cleanup without requiring manual intervention.

Microsoft Windows

In Microsoft Windows, login sessions are managed through distinct logon types that categorize how users or processes authenticate and access system resources. The primary logon types include interactive logons (type 2), which occur via console or hardware remote control for direct user interaction requiring passwords, smart cards, or other credentials; remote interactive logons (type 10), used for (RDP) connections; network logons (type 3), used for accessing remote resources like file shares over the network with credentials such as passwords, NT hashes, or Kerberos tickets; batch logons (type 4), employed by scheduled tasks executing on behalf of users without direct intervention; and service logons (type 5), associated with system services running under specific accounts. Each logon session is uniquely identified by a Locally Unique Identifier (LUID), a 64-bit value assigned to the session for tracking purposes within the local system. Authentication for these sessions is handled primarily by the Winlogon executable (Winlogon.exe), which initiates the logon process by collecting user credentials through secure attention sequences, and the Local Security Authority Subsystem Service (LSASS), which validates those credentials against local or domain policies. For domain-joined systems, LSASS integrates with to facilitate Kerberos-based authentication, enabling seamless logons across networked environments. This process ensures that access tokens, which include the LUID and (SID) for the user, are generated to enforce security contexts for the session. Administrators can query active login sessions using built-in commands such as quser or query user, which display details like session IDs, usernames, states (e.g., active or disconnected), and idle times on Remote Desktop Session Host servers. For more detailed enumeration, the LogonSessions tool provides comprehensive output, including the LUID, associated processes, and for each session, aiding in security auditing and troubleshooting. Windows supports multi-session handling through (RDS), allowing multiple concurrent user sessions on a single host, particularly in server editions where licensing permits beyond the default two administrative sessions. Sessions are isolated using unique session IDs, with Session 0 reserved for system services and non-interactive processes, Session 1 for the physical console session (in and later), and higher IDs assigned to remote connections, ensuring resource separation and preventing interference between users. Upon termination, sessions trigger cleanup of associated resources, such as tokens and handles, to maintain system integrity.

Sessions in Web Applications

HTTP Session Management

HTTP is a , meaning each request from a client to a server must be treated independently without inherent knowledge of prior interactions. This lack of built-in statefulness poses a challenge for web applications requiring persistent user sessions after , necessitating explicit mechanisms to track and associate subsequent requests with the authenticated user via unique session identifiers generated and managed by the server. Following successful —such as through form-based or protocols like —the server establishes a session by creating a unique , which it associates with the user's details on the server side and transmits to the client for inclusion in future requests. The client then embeds this identifier in each subsequent HTTP request, allowing the server to retrieve and validate the corresponding session data, thereby maintaining continuity across the stateless exchanges. Session expiration policies are critical for balancing and , typically employing either absolute timeouts, which enforce a fixed end time regardless of activity (e.g., 8 hours from creation), or sliding expirations, which reset the timeout period upon each user interaction to extend the session dynamically. Applications must also address concurrent sessions, such as those from multiple browsers or devices for the same user, by implementing policies like allowing only one active session per user (terminating prior ones upon new logins) or permitting multiples with restrictions to mitigate risks like . In popular frameworks, HTTP session management is abstracted for ease of implementation; for instance, PHP's session handling begins with a call to initialize the session context, enabling automatic ID tracking, while Servlets provide the HttpSession interface for servers to create and manipulate per-user sessions programmatically.

Session Storage Mechanisms

Session storage mechanisms in web applications primarily involve methods to persist and transmit session identifiers and associated data between client and server, ensuring continuity across stateless HTTP requests. Cookies represent the most common approach, where the server sets a session ID in an HTTP response header, which the browser stores and returns in subsequent requests. The HttpOnly flag on cookies restricts access to these values from client-side scripts, mitigating risks such as (XSS) attacks that could otherwise steal session data. Without the HttpOnly flag, session cookies are vulnerable to theft via XSS, as malicious scripts can read and exfiltrate the cookie value. The Secure flag further ensures that cookies are only transmitted over encrypted connections, preventing interception in transit. Server-side storage complements cookie-based identifiers by maintaining the actual session data on the server, such as user preferences or details, keyed by the . This approach allows for secure handling of sensitive information without exposing it to the client. In-memory storage, like session files in application servers, provides fast access but may lack persistence across restarts, while databases offer durability; , an in-memory key-value store, is widely used for its sub-millisecond latency and scalability in handling high-volume sessions across distributed systems. As a cookie-less alternative, URL rewriting embeds the directly into (e.g., appending ;jsessionid=ABC123), enabling session tracking when cookies are disabled, though it requires careful encoding to avoid exposure in logs or shared links. Token-based alternatives, such as JSON Web Tokens (JWTs), enable stateless sessions by encoding all necessary claims within a self-contained, digitally signed token that the client stores and presents to the server. Defined in RFC 7519, JWTs consist of a header, , and , using algorithms like SHA-256 for integrity protection without requiring server-side lookups. The includes standard claims like expiration time (exp), which specifies a Unix timestamp after which the token becomes invalid, supporting automatic session termination. This stateless design enhances scalability in environments, as any server can verify the token independently. Hybrid approaches combine client-side storage with server validation to balance performance and security, particularly in distributed systems. For instance, localStorage can hold non-sensitive session data or on the client, reducing server load, while the server validates each access to prevent tampering; this method leverages the 5-10 MB capacity of localStorage for persistence across sessions but requires and XSS protections to avoid exposure. Such strategies emphasize by minimizing centralized session stores, allowing horizontal scaling without session affinity concerns.

Security Considerations

Common Vulnerabilities

Session hijacking occurs when an attacker steals or predicts a valid session identifier, allowing unauthorized access to an active user session without needing credentials. This vulnerability is particularly prevalent in unencrypted network communications, where attackers can intercept session tokens through methods such as man-in-the-middle (MITM) attacks or infection on the user's device. Session fixation exploits applications that fail to regenerate session identifiers upon successful , enabling an attacker to pre-set a known and trick the user into authenticating within that compromised session. The attacker typically provides the victim with a or link containing the fixed , which persists through , granting the attacker control once the user is authenticated. Weak session identifiers, such as those that are short, predictable, or sequentially generated, expose login sessions to brute-force guessing or prediction attacks, where adversaries systematically test possible IDs to impersonate users. Additionally, these identifiers can facilitate (CSRF) attacks by exploiting sessions in unauthenticated states, allowing malicious sites to perform actions on behalf of the victim using their active session. Other notable risks include insufficient session expiration policies, which leave sessions active for extended periods and increase the window for exploitation by hijackers or fixators. Improper logout mechanisms that do not fully invalidate all associated session tokens across devices or storage methods, such as , can also prolong exposure, enabling attackers to reuse abandoned sessions.

Best Practices

To mitigate risks such as , where attackers intercept and impersonate legitimate users, implementing robust best practices for login session management is essential. These practices focus on generating secure identifiers, ensuring protected transmission, enforcing timely expiration, enabling effective revocation, and incorporating additional safeguards like (MFA). Session identifiers should be generated using a (CSPRNG) to ensure sufficient , with a minimum of 64 bits—though 128 bits or more is recommended for higher security against brute-force attacks. The identifier length should correspond to this entropy level, such as at least 16 characters for 64 bits. Additionally, regenerate the session immediately after successful or any privilege level changes, such as role elevations, to prevent fixation attacks where an attacker pre-sets a known ID. For secure transmission, all session data must be sent over with TLS encryption throughout the session's duration to protect against interception on public networks. Cookies storing session IDs should include the Secure attribute to restrict transmission to only, the HttpOnly attribute to block access via client-side scripts, and the SameSite attribute (set to Strict or Lax) to defend against . Timeouts play a critical role in limiting exposure; implement an idle timeout of 15-30 minutes for low-risk applications, shortening to 2-5 minutes for high-value ones, alongside an absolute timeout of 4-8 hours to cap overall session lifespan. Use sliding or renewal expiration mechanisms, where the timeout resets upon activity, to balance and without indefinite extensions. mechanisms should support centralized session invalidation on the server side, immediately terminating sessions upon logout or detection of anomalies, using methods like explicit invalidation calls in frameworks. Limit concurrent sessions per user by enforcing a that invalidates older sessions when a new one is created from a different device or . Maintain comprehensive audit logs for all session events—creations, renewals, and terminations—storing salted hashes of IDs rather than to track and investigate potential compromises. Integrate MFA to enhance session , requiring re-authentication with a second factor after high-risk actions like password changes or prolonged inactivity. Conduct regular audits to verify compliance with standards such as guidelines and relevant RFCs (e.g., 6265 for ), including monitoring for IP or user-agent changes that may indicate hijacking attempts.

References

  1. https://learn.microsoft.com/en-us/windows/win32/secauthn/lsa-logon-sessions
  2. https://man7.org/linux/man-pages/man3/sd-login.3.html
  3. https://www.man7.org/linux/man-pages/man8/pam_unix.8.html
  4. https://man7.org/linux/man-pages/man5/logind.conf.5.html
  5. https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html
  6. https://www.pingidentity.com/en/resources/blog/post/session-management.html
  7. https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPMultipleUsers/Concepts/SystemContexts.html
  8. https://people.csail.mit.edu/saltzer/Multics/CTSS-Documents/CTSS_ProgrammersGuide_1963.pdf
  9. https://multicians.org/history.html
  10. https://www.ibm.com/history/time-sharing
  11. https://www.informit.com/articles/article.aspx?p=2249436&seqNum=8
  12. https://pages.nist.gov/800-63-4/sp800-63b/session/
  13. https://www.cs.odu.edu/~cs252/Book/sessions.html
  14. https://opensource.com/article/19/8/what-are-environment-variables
  15. https://learn.microsoft.com/en-us/windows/win32/api/wincred/ns-wincred-credentiala
  16. https://www.elastic.co/blog/linux-process-and-session-model-as-part-of-security-alerting-and-monitoring
  17. https://pages.nist.gov/800-63-4/sp800-63b.html
  18. https://people.computing.clemson.edu/~jmarty/courses/commonCourseContent/AdvancedModule-SecurityConceptsAndApplicationToLinux/LinuxUserAuthentication.pdf
  19. https://datatracker.ietf.org/doc/html/rfc4120
  20. https://learn.microsoft.com/en-us/windows-server/security/windows-authentication/windows-logon-scenarios
  21. https://learning.lpi.org/en/learning-materials/102-500/105/105.1/105.1_01/
  22. https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#introduction
  23. https://docs.spring.io/spring-security/reference/servlet/authentication/session-management.html#customizing-where-authentication-is-stored
  24. https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#session-expiration
  25. https://docs.spring.io/spring-security/reference/servlet/authentication/session-management.html#_detecting_timeouts
  26. https://stigviewer.com/stigs/network_device_management_security_requirements_guide/2025-02-11/finding/V-202140
  27. https://docs.spring.io/spring-security/reference/servlet/authentication/session-management.html#ns-concurrent-sessions
  28. https://fusionauth.io/docs/extend/examples/device-limiting
  29. https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#logging-sessions-life-cycle-monitoring-creation-usage-and-destruction-of-session-ids
  30. https://www.baeldung.com/linux/monitor-login-attempts
  31. https://redcanary.com/blog/threat-detection/better-know-a-data-source/logon-sessions/
  32. https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/06-Testing_for_Logout_Functionality
  33. https://learn.microsoft.com/en-us/entra/identity/users/users-revoke-access
  34. https://le.fbi.gov/cjis-division/cjis-security-policy-resource-center/cjis_security_policy_v5-9-5_20240709.pdf
  35. https://www.man7.org/linux/man-pages/man1/login.1.html
  36. https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap11.html
  37. https://learn.microsoft.com/en-us/windows-server/identity/securing-privileged-access/reference-tools-logon-types
  38. https://learn.microsoft.com/en-us/windows-server/security/windows-authentication/credentials-processes-in-windows-authentication
  39. https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/query-user
  40. https://learn.microsoft.com/en-us/sysinternals/downloads/logonsessions
  41. https://learn.microsoft.com/en-us/windows/win32/termserv/terminal-services-sessions
  42. https://techcommunity.microsoft.com/t5/askperf-blog/application-compatibility-session-0-isolation/ba-p/372361
  43. https://datatracker.ietf.org/doc/html/rfc9110
  44. https://www.php.net/manual/en/features.sessions.php
  45. https://docs.oracle.com/javaee/7/api/javax/servlet/http/HttpSession.html
  46. https://datatracker.ietf.org/doc/html/rfc6265
  47. https://owasp.org/www-community/HttpOnly
  48. https://redis.io/solutions/session-store/
  49. https://www.digitalocean.com/community/tutorials/java-session-management-servlet-httpsession-url-rewriting
  50. https://datatracker.ietf.org/doc/html/rfc7519
  51. https://stytch.com/blog/localstorage-vs-sessionstorage-vs-cookies/
  52. https://owasp.org/www-community/attacks/Session_hijacking_attack
  53. https://www.imperva.com/learn/application-security/session-hijacking/
  54. https://owasp.org/www-community/attacks/Session_fixation
  55. https://cwe.mitre.org/data/definitions/384.html
  56. https://portswigger.net/web-security/authentication
Add your contribution
Related Hubs
User Avatar
No comments yet.