A session is a stateful conversation between a website and a user agent, such as a browser.

When a user accesses a website, they typically make multiple HTTP requests – even in the course of visiting a single page. To protect sensitive resources, many sites make use of an authentication system. Since having the user authenticate themselves with every web request is impractical, a session will be established between the site and the browser.

Sessions should be communicated via cookies – either by passing an opaque session ID back and forth in the cookie headers, or by passing all session information back and forth–in order to tamper-proof and/or encrypt the session data.

Older mechanisms of communicating session information – in the URL, or the body of the HTTP request – are vulnerable to attack.

You should ensure your session IDs are unguessable.

Session hijacking refers to the scenario where an attacker is able to impersonate a legitimate user, either by stealing their session identifier, or forging session information. This is a common avenue of attack for hackers, since it does not require them to guess any passwords.