Session management 处理让用户在整个请求中保持登录状态——以安全的方式进行这一操作很重要,因为会话漏洞(hijacking、fixation)让攻击者可以冒充用户。安全的会话涉及正确的token处理、cookie安全性和生命周期管理。
会话如何工作
After login, the server keeps a SESSION identifying the user across requests:
→ a SESSION ID (or token) is stored client-side (usually a cookie) and sent each request
→ the server uses it to know who the user is (without re-authenticating each time)
→ the session ID/token is effectively a key to the user's account → must be PROTECTED.
保护会话
✓ SECURE COOKIE flags for session cookies:
→ HttpOnly → JavaScript can't read it (protects against theft via XSS)
→ Secure → sent only over HTTPS (not plaintext)
→ SameSite → not sent on cross-site requests (mitigates CSRF)
✓ Strong, RANDOM, unpredictable session IDs (can't be guessed)
✓ Store session data server-side (or sign/encrypt tokens); transmit over HTTPS only
