Defending against Web Application Session-Tracking Attacks
¨Digitally sign or hash session-tracking information
¨Encrypt information in the URL, hidden form element, or cookie
¨Make sure that your session IDs are long enough to prevent accidental collision
¨Apply a timestamp within the session ID variable and encrypt it
¨Allow users to terminate their sessions via a logout button which will invalidate the session ID
¨Scan your web site via
AppScan
¨