Attacking Session Management (remediation)

Securing the Session:
1) Secure token
- random (UUID)
- long
- token protection   
    - never in URL
    - cookie flags
        - httponly
        - secure

2) Secure Session Handling
- new token at login/logout
- old session detroyed
- client and server session ending

3) Timeout