Sessiebeheer handelt het bijhouden van ingelogde gebruikers over verzoeken heen af — en dit veilig doen is belangrijk, aangezien sessie-kwetsbaarheden (hijacking, fixation) aanvallers in staat stellen gebruikers na te bootsen. Veilige sessies omvatten juiste tokenverwerking, cookiebeveiliging en levenscyclusbeheer.
Hoe sessies werken
After login, the server keeps a SESSION identifying the user across requests:
→ a SESSION ID (or token) is stored client-side (usually a cookie) and sent each request
→ the server uses it to know who the user is (without re-authenticating each time)
→ the session ID/token is effectively a key to the user's account → must be PROTECTED.
Sessies beveiligen
✓ SECURE COOKIE flags for session cookies:
→ HttpOnly → JavaScript can't read it (protects against theft via XSS)
→ Secure → sent only over HTTPS (not plaintext)
→ SameSite → not sent on cross-site requests (mitigates CSRF)
✓ Strong, RANDOM, unpredictable session IDs (can't be guessed)
✓ Store session data server-side (or sign/encrypt tokens); transmit over HTTPS only
