Session management nangani njaga supaya users tetep log in sawise requests — lan ngamanake iku penting, amarga kerentanan session (hijacking, fixation) ngidini penyerang nyamar dadi users. Secure sessions melu handling token sing bener, security cookie, lan lifecycle management.
Piye cara session berfungsi
text
After login, the server keeps a SESSION identifying the user across requests:
→ a SESSION ID (or token) is stored client-side (usually a cookie) and sent each request
→ the server uses it to know who the user is (without re-authenticating each time)
→ the session ID/token is effectively a key to the user's account → must be PROTECTED.
Ngamanake session
text
✓ SECURE COOKIE flags for session cookies:
→ HttpOnly → JavaScript can't read it (protects against theft via XSS)
→ Secure → sent only over HTTPS (not plaintext)
→ SameSite → not sent on cross-site requests (mitigates CSRF)
✓ Strong, RANDOM, unpredictable session IDs (can't be guessed)
✓ Store session data server-side (or sign/encrypt tokens); transmit over HTTPS only