Session Cookie

A session cookie is a small piece of data stored in the browser that the server uses to identify an authenticated user's session. It typically contains a random session ID that maps to server-side session state. Session cookies should always use the HttpOnly, Secure, and SameSite attributes to prevent theft via XSS, interception over plain HTTP, and CSRF attacks respectively. Session fixation and session hijacking are common attacks targeting poorly managed session cookies.

Why it matters for your website

• 1Directly impacts resistance to account takeover and credential theft
• 2Required for SOC 2, HIPAA, and PCI-DSS compliance
• 3Misconfiguration can expose all user accounts to attack