Today I read a good article regarding session security, I want to share with you.
Please click for article
Below it is the summary.
Always regenerate a session ID (SID) when elevating privileges or changing between HTTP and HTTPS.
Check for suspicious activity and immediately destroy any suspect session.
Store all session information server-side, never store anything except the SID in the client-side cookie.
Confirm SIDs aren't from an external source, and verify the session was generated by your server.
Don't append the SID to URLs as a GET parameter.
Expire sessions on the server side, don't rely on cookie expiration to end a user session.
Use long and unpredictable session IDs.
Properly sanitize user input before setting headers with them.
When a user logs out, destroy their session explicitly on the server.
Check your session configuration.
Force users to re-authenticate on any destructive or critical actions.