Which practice is commonly included to mitigate broken authentication and session management?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Prepare for the PCI DSS Requirements Test with our interactive quizzes. Use multiple choice questions, flashcards, and detailed explanations. Ace your exam with confidence!

Multiple Choice

Which practice is commonly included to mitigate broken authentication and session management?

Explanation:
Protecting session tokens is essential to preventing session hijacking. Marking the session cookie as Secure ensures it is sent only over HTTPS, so the token isn’t exposed in plaintext on insecure connections. This reduces the risk of interception during transmission and helps keep authenticated sessions protected, especially when paired with HttpOnly (to block access from scripts) and SameSite (to mitigate cross-site request forgery). Exposing session IDs in the URL is risky because URLs can be logged in browser history, server logs, and referred by headers, making the token easily discoverable. Using a fixed, long‑lived session ID means a stolen token could be reused for a long time, increasing impact. Disabling timeouts leaves sessions open indefinitely, allowing ongoing use if a token is compromised. Marking the session token as Secure directly addresses the risk of token theft in transit and aligns with proper session management practices.

Protecting session tokens is essential to preventing session hijacking. Marking the session cookie as Secure ensures it is sent only over HTTPS, so the token isn’t exposed in plaintext on insecure connections. This reduces the risk of interception during transmission and helps keep authenticated sessions protected, especially when paired with HttpOnly (to block access from scripts) and SameSite (to mitigate cross-site request forgery).

Exposing session IDs in the URL is risky because URLs can be logged in browser history, server logs, and referred by headers, making the token easily discoverable. Using a fixed, long‑lived session ID means a stolen token could be reused for a long time, increasing impact. Disabling timeouts leaves sessions open indefinitely, allowing ongoing use if a token is compromised. Marking the session token as Secure directly addresses the risk of token theft in transit and aligns with proper session management practices.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy