session is the only option we have to make connection between client and server

1. session is the only option we have to make connection between client and server to look like statefull
2. infact they are stateless
3. can be maintained in two ways, session tokens or authentication tokens
4. session token
5. -session is maintained totally at server
6. -id is stored in cookie
7. authentication token
8. -session is maintained totally at client, reduces overhead, example is JWT
9. -encrypted and safe
10. types of session attacks
11. session hijack
12. -stealing a valid session cookie through sniffing attack like MITM
13. session fixation
14. -find a way to set a known session on victim's browser
15. ASP.NET Session Management
16. -client side
17. -viewstate
18. -hiddenfield
19. -cookies
20. -controlstate
21. -querystring
22. -server side
23. -session
24. -applicationobject
25. -profileproperties
26.  
27. Defensive Practices
28. -Session Hijacking
29. -implement ssl to encrypt cookies
30. -short time for expiry
31. -avoid cookieless sessions
32. -avoid cookieless="useuri"
33. -avoid autodetect in cookie modes
34. -avoid usedeviceprofile in cookie modes
35. -enable regenerateexpiredsessionid for cookieless sessions
36. -reset the session when user logs out
37. -generate lengthy session keys to prevent guessing
38. -re-authenticate if critical function is being executed
39.  
40. session fixation
41. -remove asp.net_sessionid had to be removed explicitly beside
42. session.abandon and session.removeall and session.clear
43. Cross Site Scripting Attack(XSS)