-
Invalidate any session identifiers after a successful logout or timeout on both the server and client sides.
-
Always assign a new session ID after a successful authentication.
-
For cookie-based sessions, ensure no sensitive information is added to the cookie. Instead, always use a random session ID and ensure proper cookie security is followed.