Session management håndterer det at holde brugere logget ind på tværs af anmodninger — og at gøre det sikkert er vigtigt, da session-sårbarhederne (hijacking, fixation) lader angribere efterligne brugere. Sikre sessioner involverer korrekt token-håndtering, cookie-sikkerhed og livscyklushåndtering.
Sådan fungerer sessioner
After login, the server keeps a SESSION identifying the user across requests:
→ a SESSION ID (or token) is stored client-side (usually a cookie) and sent each request
→ the server uses it to know who the user is (without re-authenticating each time)
→ the session ID/token is effectively a key to the user's account → must be PROTECTED.
Sikring af sessioner
✓ SECURE COOKIE flags for session cookies:
→ HttpOnly → JavaScript can't read it (protects against theft via XSS)
→ Secure → sent only over HTTPS (not plaintext)
→ SameSite → not sent on cross-site requests (mitigates CSRF)
✓ Strong, RANDOM, unpredictable session IDs (can't be guessed)
✓ Store session data server-side (or sign/encrypt tokens); transmit over HTTPS only
