Confirm
81
edits
Changes
→Session Management
===HTTP-Only Flag===
The "HTTP-Only" flag should be set to disable malicious script access to the session ID (e.g. XSS)
===Login===
New session IDs should be created on login (to prevent session fixation via XSS on sibling domains or subdomains).
===Logout===
Upon logout the session ID should be invalidated on the server side and deleted on the client via expiration/overwriting the value.
