* Store session keys server side (typically in a db) so that they can be revoked immediately.
* Session keys must be changed on login to prevent session fixation attacks.
* Session cookies must have HttpOnly and Secure flags set and the SameSite attribute set to 'strict'or 'lax' (which allows external regular links to login).
* For more information about potential pitfalls see the [OWASP Session Management Cheat Sheet](https://www.owasp.org/index.php/Session_Management_Cheat_Sheet)
* [ ] Access Control should be via existing and well regarded frameworks. If you really do need to roll your own then contact the security team for a design and implementation review.