Begin session with SSL connection.
2. Check your session management configuration.
3. Enable a highly unpredictable session ID.
4. Verify that session IDs were actually generated by your server. 5. Enable HTTP only and secure cookies via PHP.
6. Enable secure login over SSL.
7. Always regenerate a session ID on successful authentication.
8. Force users to re-authenticate with password over SSL on any critical actions. 9. Always regenerate a session ID on privilege elevation.
10. Store all session data in server session array only.
11. Make logout option available on every page.
12. Upon logging out, explicitly destroy all user session data on the server. 13. Force expiration of session cookies on the server.
14. Explicitly and immediately destroy session on suspicious activity.
15. Use only cookies for session ID transmission.