1. What is the primary purpose of secure session management in web applications?
A) To prevent unauthorized access to user sessions
B) To enhance the performance of the web application
C) To limit the number of concurrent user logins
D) To store user passwords securely
Answer: A) To prevent unauthorized access to user sessions
Explanation: Secure session management ensures that user sessions are protected against attacks like session hijacking, fixation, and replay attacks, preventing unauthorized access.
2. Which of the following is a primary method to prevent session hijacking?
A) Using HTTPS for all session-related communication
B) Storing session tokens in local storage
C) Using weak session tokens
D) Assigning the same session ID to all users
Answer: A) Using HTTPS for all session-related communication
Explanation: HTTPS encryption prevents session hijacking by ensuring session tokens cannot be intercepted via man-in-the-middle (MITM) attacks. Storing session tokens in local storage is insecure as JavaScript-based attacks (XSS) can exploit them.
3. What is session fixation?
A) When a session ID is stolen and reused by an attacker
B) When an attacker forces a user to use a pre-defined session ID
C) When a session is reused after logging out
D) When session tokens expire too quickly
Answer: B) When an attacker forces a user to use a pre-defined session ID
Explanation: Session fixation occurs when an attacker sets a known session ID and forces the victim to use it. Once the victim logs in, the attacker can hijack the session.
4. What is the best mitigation against session fixation attacks?
A) Regenerating session IDs after authentication
B) Using long-lived session IDs
C) Encrypting session tokens on the client side
D) Using only GET requests to transmit session IDs
Answer: A) Regenerating session IDs after authentication
Explanation: Regenerating session IDs after login ensures that attackers cannot reuse fixed session IDs.
5. Which session storage method is considered the most secure?
A) HTTP-only cookies
B) Local storage
C) Session storage
D) Hidden form fields
Answer: A) HTTP-only cookies
Explanation: HTTP-only cookies are not accessible via JavaScript, preventing XSS attacks from stealing session tokens.
6. Why should session IDs not be included in URLs?
A) They can be exposed in browser history and server logs
B) They make URLs difficult to read
C) They increase the database storage size
D) They slow down page loading speed
Answer: A) They can be exposed in browser history and server logs
Explanation: Session IDs in URLs can be logged in browser history, server logs, and referrer headers, making them easy to steal.
7. What is the recommended way to end a session securely?
A) Destroy the session on the server and delete the session cookie
B) Expire the session token but keep it in storage
C) Only remove the session ID from the user’s local storage
D) Redirect the user without deleting the session
Answer: A) Destroy the session on the server and delete the session cookie
Explanation: A secure logout process should delete the session token from both the client and the server to prevent reuse.
8. What is a good practice for session expiration?
A) Implement both idle timeout and absolute timeout
B) Never expire a session as long as the user is logged in
C) Set session expiration to at least 24 hours
D) Use a fixed expiration time without renewal
Answer: A) Implement both idle timeout and absolute timeout
Explanation: Idle timeout logs users out after inactivity, while absolute timeout ensures old sessions expire even if the user is active.
9. What is the main purpose of a CSRF token in session security?
A) Prevents unauthorized form submissions from other sites
B) Encrypts session tokens
C) Authenticates users at login
D) Enables session persistence
Answer: A) Prevents unauthorized form submissions from other sites
Explanation: Cross-Site Request Forgery (CSRF) tokens prevent attackers from making unauthorized state-changing requests on behalf of authenticated users.
10. How does the “Secure” flag in cookies improve session security?
A) Prevents cookies from being sent over HTTP
B) Encrypts the session ID
C) Prevents JavaScript from accessing the cookie
D) Hides the cookie from the browser
Answer: A) Prevents cookies from being sent over HTTP
Explanation: The Secure flag ensures that cookies are only sent over HTTPS, preventing MITM attacks.
11. What is a secure session token characteristic?
A) Random, unique, and long enough to prevent brute force attacks
B) Fixed for every user session
C) Stored in local storage for easy access
D) Predictable for efficient processing
Answer: A) Random, unique, and long enough to prevent brute force attacks
Explanation: Secure tokens should be random, unpredictable, and long enough to avoid brute force attacks.
12. How can session hijacking be detected?
A) Monitoring for abnormal IP or device changes
B) Checking if the session ID is still active
C) Limiting session length to 10 minutes
D) Using client-side encryption
Answer: A) Monitoring for abnormal IP or device changes
Explanation: Anomalous behavior detection (e.g., IP changes, device fingerprinting) helps identify session hijacking attempts.
13. What is the recommended length for a secure session ID?
A) At least 128 bits of entropy
B) 32 bits
C) 8 characters
D) A simple username concatenated with a timestamp
Answer: A) At least 128 bits of entropy
Explanation: 128-bit entropy ensures that session IDs are resistant to brute-force attacks.
14. Why should session tokens never be stored in local storage?
A) They are vulnerable to XSS attacks
B) They are encrypted by default
C) They are more difficult to access than cookies
D) They expire faster
Answer: A) They are vulnerable to XSS attacks
Explanation: Local storage is accessible via JavaScript, making it vulnerable to XSS attacks.
15. Which method helps mitigate session hijacking by ensuring user authenticity?
A) Multi-Factor Authentication (MFA)
B) Keeping sessions active indefinitely
C) Sharing session IDs across multiple users
D) Encrypting session tokens with AES
Answer: A) Multi-Factor Authentication (MFA)
Explanation: MFA makes session hijacking more difficult by requiring an additional authentication factor.
16. Which of the following is the best way to ensure that an expired session cannot be reused?
A) Encrypting the session ID before storing it
B) Implementing session timeout and token invalidation
C) Storing the session token in local storage
D) Using the same session ID across multiple sessions
Answer: B) Implementing session timeout and token invalidation
Explanation: Proper session expiration mechanisms ensure that old sessions cannot be reused, preventing replay attacks.
17. Which attack can occur if a session cookie does not have the HttpOnly flag enabled?
A) SQL Injection
B) Cross-Site Scripting (XSS)
C) Clickjacking
D) DNS Spoofing
Answer: B) Cross-Site Scripting (XSS)
Explanation: Without the HttpOnly flag, JavaScript can access session cookies, making them vulnerable to XSS attacks.
18. What is the best way to protect against session hijacking over public Wi-Fi networks?
A) Use strong passwords
B) Enable Two-Factor Authentication (2FA)
C) Always use HTTPS and encrypt session data
D) Store session IDs in local storage
Answer: C) Always use HTTPS and encrypt session data
Explanation: HTTPS ensures end-to-end encryption, preventing attackers from intercepting session tokens.
19. What should happen to a session when a user logs out?
A) The session should remain active for a few minutes
B) The session ID should be regenerated
C) The session should be destroyed on the server and cookie deleted
D) The session should only be removed from client-side storage
Answer: C) The session should be destroyed on the server and cookie deleted
Explanation: Secure logout ensures session tokens are invalidated both on the client and server to prevent unauthorized reuse.
20. What can attackers do with a stolen session ID?
A) Perform session replay attacks
B) Change the user’s password without logging in
C) Access session IDs of other users
D) Modify the session expiration time
Answer: A) Perform session replay attacks
Explanation: If an attacker steals a valid session token, they can use it to impersonate the legitimate user until the session expires.
21. Which session-related setting can help prevent session hijacking?
A) Enabling SameSite cookies
B) Allowing guest logins
C) Setting session IDs to a fixed value
D) Removing cookies when the browser is closed
Answer: A) Enabling SameSite cookies
Explanation: SameSite cookies restrict session cookies from being sent in cross-site requests, mitigating CSRF attacks.
22. Why should developers use short-lived session tokens?
A) To improve server performance
B) To reduce the risk of session hijacking
C) To increase the complexity of authentication
D) To allow longer user sessions
Answer: B) To reduce the risk of session hijacking
Explanation: Short-lived tokens minimize the attack window if a session token is stolen.
23. What is a secure way to store session tokens on a client device?
A) Local storage
B) Session storage
C) HTTP-only cookies
D) IndexedDB
Answer: C) HTTP-only cookies
Explanation: HTTP-only cookies prevent JavaScript access, reducing XSS-based attacks.
24. What is a common cause of session fixation vulnerabilities?
A) Using short session expiration times
B) Not regenerating session IDs after authentication
C) Using long and unpredictable session tokens
D) Storing session IDs in HTTP-only cookies
Answer: B) Not regenerating session IDs after authentication
Explanation: Regenerating session IDs after login prevents attackers from using pre-defined session tokens.
25. How can an attacker exploit an insecure session timeout configuration?
A) By forcing a victim to log out
B) By reusing an old session token
C) By blocking session expiration signals
D) By sending multiple login requests
Answer: B) By reusing an old session token
Explanation: If sessions do not expire properly, attackers can reuse old session tokens to gain access.
26. Which HTTP header can help prevent session hijacking?
A) X-Content-Type-Options
B) Strict-Transport-Security (HSTS)
C) Cache-Control
D) Content-Length
Answer: B) Strict-Transport-Security (HSTS)
Explanation: HSTS forces HTTPS connections, preventing session hijacking via MITM attacks.
27. What is an effective way to prevent session replay attacks?
A) Implementing session ID rotation
B) Increasing session expiration time
C) Using a fixed session token
D) Encrypting session tokens in the database
Answer: A) Implementing session ID rotation
Explanation: Session ID rotation ensures that stolen session tokens cannot be reused.
28. Which of the following best describes “token binding” in session management?
A) Ensuring session tokens are linked to a specific device
B) Storing session tokens in a secure location
C) Using encryption to protect session cookies
D) Assigning the same session ID to every request
Answer: A) Ensuring session tokens are linked to a specific device
Explanation: Token binding ties a session to a device to prevent token theft and reuse.
29. How can developers prevent session enumeration attacks?
A) By using unpredictable session IDs
B) By setting session timeout to 24 hours
C) By storing session IDs in local storage
D) By using static session IDs
Answer: A) By using unpredictable session IDs
Explanation: Random and long session IDs prevent attackers from guessing valid session tokens.
30. What happens if session data is not properly cleared on logout?
A) The session can be hijacked even after logout
B) The session will be automatically destroyed
C) The user will be unable to log in again
D) The session ID will change automatically
Answer: A) The session can be hijacked even after logout
Explanation: Sessions must be invalidated on logout to prevent unauthorized access.
31. How can an application ensure session integrity?
A) By signing session tokens with a secret key
B) By using unencrypted session tokens
C) By storing session IDs in URL parameters
D) By allowing multiple active sessions
Answer: A) By signing session tokens with a secret key
Explanation: Digitally signed session tokens ensure they are not modified or forged.
32. What is the role of session pinning in security?
A) Binding a session to an IP address or device
B) Allowing session reuse after logout
C) Encrypting session cookies
D) Keeping sessions active indefinitely
Answer: A) Binding a session to an IP address or device
Explanation: Session pinning restricts sessions to a specific device or IP, preventing session hijacking.
33. Why should session cookies be marked as “Secure” and “HttpOnly”?
A) To protect against XSS and MITM attacks
B) To increase server performance
C) To store session data longer
D) To allow cross-domain session sharing
Answer: A) To protect against XSS and MITM attacks
Explanation: Secure cookies ensure encrypted transport, while HttpOnly prevents JavaScript access.
34. What is the best response to detecting a session hijacking attempt?
A) Notify the user and force logout
B) Increase session timeout
C) Ignore the attempt and monitor logs
D) Encrypt all session tokens
Answer: A) Notify the user and force logout
Explanation: Logging out compromised users prevents attackers from maintaining access.
35. Why is it recommended to use short-lived session tokens in API authentication?
A) To improve performance by reducing token size
B) To minimize the attack window in case of token compromise
C) To allow persistent logins for convenience
D) To ensure session IDs are not exposed in logs
Answer: B) To minimize the attack window in case of token compromise
Explanation: Short-lived tokens ensure that if stolen, they expire quickly, reducing the risk of session hijacking and replay attacks.
36. What is a major drawback of using IP-based session binding?
A) It slows down authentication
B) It prevents session timeout
C) It can cause session disruptions due to dynamic IP changes
D) It requires manual token regeneration
Answer: C) It can cause session disruptions due to dynamic IP changes
Explanation: Many users have dynamic IP addresses, and binding sessions to IPs may lead to unexpected session terminations.
37. How does a SameSite=Lax cookie setting improve security?
A) Prevents session hijacking by encrypting the cookie
B) Allows session cookies to be sent only for top-level navigations
C) Ensures session cookies are never shared across sites
D) Automatically logs users out when inactive
Answer: B) Allows session cookies to be sent only for top-level navigations
Explanation: SameSite=Lax prevents cookies from being sent in most cross-site requests, reducing CSRF risks while allowing normal browsing.
38. What is the primary security concern of allowing multiple active sessions per user?
A) It increases the server’s memory usage
B) It makes tracking user activity harder
C) It increases the risk of session hijacking across multiple devices
D) It prevents brute-force attacks
Answer: C) It increases the risk of session hijacking across multiple devices
Explanation: Multiple active sessions mean that if one session is compromised, an attacker can maintain access without logging the user out.
39. What is a major security risk of using persistent (remember me) sessions?
A) Users may forget their passwords
B) Attackers can hijack long-lived sessions if the device is stolen
C) Persistent sessions slow down authentication
D) The session data gets corrupted over time
Answer: B) Attackers can hijack long-lived sessions if the device is stolen
Explanation: Persistent sessions keep users logged in for long periods, making them a target for session hijacking on stolen devices.
40. How can developers secure session management for Single Page Applications (SPAs)?
A) Use JSON Web Tokens (JWT) with proper expiration and refresh tokens
B) Store session data in local storage for easy access
C) Disable session expiration
D) Rely solely on front-end validation
Answer: A) Use JSON Web Tokens (JWT) with proper expiration and refresh tokens
Explanation: JWTs allow secure session management when combined with short expiration and refresh tokens.
41. Which attack exploits the reuse of old session tokens?
A) Session fixation
B) Session replay
C) Clickjacking
D) SQL Injection
Answer: B) Session replay
Explanation: Session replay attacks occur when attackers capture and reuse valid session tokens to gain unauthorized access.
42. What is a recommended way to protect session data at rest?
A) Encrypting session tokens before storing them in the database
B) Storing session data in local storage
C) Keeping sessions active indefinitely
D) Using hardcoded session keys
Answer: A) Encrypting session tokens before storing them in the database
Explanation: Encrypting session tokens ensures that even if the database is compromised, attackers cannot easily decrypt session data.
43. What role does “context-aware session management” play in security?
A) Detects anomalies in session activity based on user behavior
B) Encrypts session tokens
C) Prevents CSRF attacks
D) Automatically logs users out every 30 minutes
Answer: A) Detects anomalies in session activity based on user behavior
Explanation: Context-aware security monitors login locations, IPs, and device fingerprints to detect suspicious activity.
44. What happens when a session token lacks entropy?
A) It becomes predictable and vulnerable to brute-force attacks
B) The user cannot log in properly
C) The session expires instantly
D) The session is protected against all attacks
Answer: A) It becomes predictable and vulnerable to brute-force attacks
Explanation: Low-entropy tokens are easier to guess, leading to session hijacking risks.
45. Which authentication mechanism enhances session security by reducing reliance on passwords?
A) OAuth with token-based authentication
B) Storing session IDs in local storage
C) Using GET parameters for session tokens
D) Hardcoding session keys in the database
Answer: A) OAuth with token-based authentication
Explanation: OAuth tokens reduce password exposure by using secure token-based authentication instead.
46. How does session inactivity timeout help improve security?
A) It prevents sessions from being used indefinitely
B) It increases system performance
C) It ensures users remain logged in longer
D) It allows multiple users to share a session
Answer: A) It prevents sessions from being used indefinitely
Explanation: Inactivity timeouts ensure that unused sessions expire, reducing the risk of session hijacking.
47. Why should sensitive session data never be stored in client-side storage?
A) It can be easily accessed by attackers through XSS attacks
B) It improves performance but has no security impact
C) It allows multiple users to access the same session
D) It helps speed up authentication
Answer: A) It can be easily accessed by attackers through XSS attacks
Explanation: Client-side storage (localStorage, sessionStorage) is accessible via JavaScript, making it vulnerable to XSS attacks.
48. What is an important security feature of OAuth-based session management?
A) Token expiration and refresh token mechanisms
B) Using static session tokens
C) Relying on GET requests to send tokens
D) Storing OAuth tokens in local storage
Answer: A) Token expiration and refresh token mechanisms
Explanation: OAuth refresh tokens allow secure re-authentication without long-lived access tokens.
49. Why is it important to monitor session activity logs?
A) To detect anomalies and unauthorized access attempts
B) To track user browsing history
C) To improve page load speed
D) To keep users logged in permanently
Answer: A) To detect anomalies and unauthorized access attempts
Explanation: Monitoring session logs helps identify suspicious activity, such as multiple logins from different locations.
50. What is the main security risk of using URL-based session tokens?
A) They can be exposed in browser history and server logs
B) They improve performance
C) They prevent session hijacking
D) They make authentication faster
Answer: A) They can be exposed in browser history and server logs
Explanation: Session tokens in URLs can be logged in browser history, referer headers, and server logs, making them vulnerable to session hijacking.
51. What is the best way to ensure a session remains secure even if an attacker intercepts the session token?
A) Implement token binding and IP-based validation
B) Use persistent session cookies
C) Store session IDs in browser local storage
D) Allow long session timeouts
Answer: A) Implement token binding and IP-based validation
Explanation: Token binding ties a session token to a specific device or IP, making it difficult for an attacker to reuse it.
52. What type of attack can occur if a session token is predictable?
A) Brute force attack
B) SQL Injection
C) Buffer overflow
D) Clickjacking
Answer: A) Brute force attack
Explanation: Weak or predictable session tokens can be guessed using brute-force attacks, allowing attackers to hijack sessions.
53. Why should session cookies be set with the “HttpOnly” flag?
A) To prevent JavaScript from accessing the session cookie
B) To allow easier session management across devices
C) To make session cookies last longer
D) To enable cross-site authentication
Answer: A) To prevent JavaScript from accessing the session cookie
Explanation: HttpOnly cookies protect against XSS attacks, preventing JavaScript from reading or stealing session tokens.
54. What is the main purpose of a session timeout mechanism?
A) To automatically log out inactive users and reduce hijacking risks
B) To prevent users from logging in too often
C) To make session cookies last longer
D) To allow users to remain logged in permanently
Answer: A) To automatically log out inactive users and reduce hijacking risks
Explanation: Session timeouts limit the window of opportunity for attackers to hijack an active session.
55. Which security practice helps prevent token theft via social engineering?
A) User education on phishing and security awareness
B) Hardcoding session IDs into client-side scripts
C) Using static session identifiers for all users
D) Disabling logout functionality
Answer: A) User education on phishing and security awareness
Explanation: User awareness helps prevent attacks like phishing, which trick users into revealing session tokens.
56. What is the best way to prevent session fixation attacks?
A) Regenerate session IDs after authentication
B) Assign the same session ID to all users
C) Allow users to choose their own session IDs
D) Store session tokens in local storage
Answer: A) Regenerate session IDs after authentication
Explanation: Session fixation can be mitigated by regenerating session IDs after login, preventing attackers from setting a fixed session ID.
57. How does the “Secure” cookie flag improve session security?
A) It prevents cookies from being sent over HTTP
B) It encrypts session tokens
C) It makes cookies expire faster
D) It prevents session reuse across devices
Answer: A) It prevents cookies from being sent over HTTP
Explanation: The Secure flag ensures that session cookies are only transmitted over HTTPS, preventing MITM attacks.
58. What is the impact of improperly configured CORS policies on session security?
A) Allows unauthorized websites to access user sessions
B) Prevents users from logging in
C) Slows down website performance
D) Automatically expires user sessions
Answer: A) Allows unauthorized websites to access user sessions
Explanation: Weak CORS policies can allow unauthorized domains to access user session data, leading to session hijacking.
59. How can session fixation be exploited by an attacker?
A) By forcing a user to use a pre-determined session ID
B) By stealing the session ID from browser history
C) By injecting malicious JavaScript into the session
D) By overloading the authentication server
Answer: A) By forcing a user to use a pre-determined session ID
Explanation: In session fixation attacks, an attacker sets a known session ID and forces the victim to use it, allowing them to hijack the session.
60. Which of the following is a recommended approach for logging out securely?
A) Destroy the session on the server and delete cookies
B) Hide the logout button from the user
C) Only delete session cookies on the client side
D) Allow users to log out but keep their session tokens valid
Answer: A) Destroy the session on the server and delete cookies
Explanation: A secure logout process destroys the session on the server and removes all active session tokens.
61. Why is it important to set an absolute session expiration time?
A) To prevent long-lived sessions from being exploited
B) To ensure users can always resume their session
C) To allow multiple active sessions
D) To make session tokens easier to manage
Answer: A) To prevent long-lived sessions from being exploited
Explanation: Absolute session expiration ensures old sessions expire even if a user remains active, reducing hijacking risks.
62. How can session hijacking attacks be detected?
A) By monitoring for changes in IP address or device fingerprint
B) By allowing long session expiration times
C) By using static session IDs
D) By storing session IDs in browser history
Answer: A) By monitoring for changes in IP address or device fingerprint
Explanation: Detecting IP address changes or device fingerprint mismatches can help detect session hijacking attempts.
63. Which type of attack can occur if authentication cookies are not properly secured?
A) Cross-Site Scripting (XSS)
B) Command Injection
C) XML Injection
D) Directory Traversal
Answer: A) Cross-Site Scripting (XSS)
Explanation: Unprotected authentication cookies can be stolen via XSS attacks, allowing session hijacking.
64. What is the purpose of a refresh token in session-based authentication?
A) To obtain a new access token without requiring user re-authentication
B) To store session data on the client-side
C) To prevent users from logging out
D) To force session IDs to change on every request
Answer: A) To obtain a new access token without requiring user re-authentication
Explanation: Refresh tokens allow users to re-authenticate without storing long-lived session tokens.
65. Why should session tokens be unique per user session?
A) To prevent token prediction and session hijacking
B) To speed up authentication processes
C) To allow session reuse
D) To ensure all users share the same session
Answer: A) To prevent token prediction and session hijacking
Explanation: Unique session tokens make it difficult for attackers to predict or brute-force session IDs.
66. How does a session replay attack work?
A) The attacker captures and reuses a valid session token
B) The attacker injects malicious code into the session
C) The attacker forces the user to log out
D) The attacker modifies session expiration settings
Answer: A) The attacker captures and reuses a valid session token
Explanation: In session replay attacks, an attacker intercepts and reuses a valid session token, impersonating the user.
67. Why is it important to limit the lifespan of session tokens?
A) To reduce the impact of token theft
B) To allow users to log in from multiple devices
C) To improve website performance
D) To make authentication easier
Answer: A) To reduce the impact of token theft
Explanation: Short-lived session tokens ensure stolen tokens expire quickly, reducing the window for session hijacking.
68. What is the benefit of rotating session tokens periodically?
A) It makes session hijacking more difficult
B) It allows users to remain logged in indefinitely
C) It speeds up authentication
D) It prevents password resets
Answer: A) It makes session hijacking more difficult
Explanation: Rotating session tokens frequently ensures that even if a token is stolen, it becomes invalid quickly.
69. What is the primary reason for enforcing a session timeout policy?
A) To reduce the risk of session hijacking
B) To increase website speed
C) To allow users to stay logged in longer
D) To store user credentials in session cookies
Answer: A) To reduce the risk of session hijacking
Explanation: Session timeouts ensure that inactive sessions expire, reducing the window of opportunity for attackers to hijack them.
70. Which of the following is an effective way to mitigate session hijacking?
A) Enforcing secure cookie attributes and regenerating session IDs
B) Allowing session IDs in URLs for easy tracking
C) Using persistent session tokens stored in local storage
D) Keeping sessions active indefinitely
Answer: A) Enforcing secure cookie attributes and regenerating session IDs
Explanation: Secure cookie attributes (e.g., HttpOnly, Secure, SameSite) and session ID regeneration help prevent hijacking.
71. Why is it important to log out users on abnormal session behavior detection?
A) To force them to re-authenticate and verify their session
B) To improve website performance
C) To reset their password automatically
D) To allow session reuse on different devices
Answer: A) To force them to re-authenticate and verify their session
Explanation: Detecting anomalies like IP address changes or device switches should trigger an automatic logout to prevent session hijacking.
72. How can Cross-Origin Resource Sharing (CORS) misconfigurations lead to session hijacking?
A) By allowing unauthorized third-party domains to access session cookies
B) By blocking session expiration
C) By encrypting session cookies incorrectly
D) By requiring two-factor authentication
Answer: A) By allowing unauthorized third-party domains to access session cookies
Explanation: Misconfigured CORS policies can let attackers steal session data via cross-origin requests.
73. What happens if session tokens are stored in local storage?
A) They become accessible to JavaScript and are vulnerable to XSS attacks
B) They are automatically encrypted
C) They expire instantly
D) They are only accessible to the server
Answer: A) They become accessible to JavaScript and are vulnerable to XSS attacks
Explanation: Session tokens in local storage can be stolen via XSS attacks, allowing session hijacking.
74. Why should developers avoid using static session IDs?
A) They can be predicted and used for session hijacking
B) They reduce server load
C) They improve session persistence
D) They prevent authentication bypass
Answer: A) They can be predicted and used for session hijacking
Explanation: Static session IDs are easier to brute-force, making them vulnerable to session hijacking attacks.
75. What is a major security flaw of allowing unlimited session lifetimes?
A) It increases the risk of session hijacking and unauthorized access
B) It makes user experience smoother
C) It prevents brute-force attacks
D) It reduces the need for two-factor authentication
Answer: A) It increases the risk of session hijacking and unauthorized access
Explanation: Long-lived sessions allow attackers to reuse stolen session tokens for extended periods.
76. Why is it recommended to implement IP-based session tracking?
A) To detect session hijacking when an IP address changes unexpectedly
B) To allow users to log in from different locations without security checks
C) To enforce a single session ID for all users
D) To improve browser performance
Answer: A) To detect session hijacking when an IP address changes unexpectedly
Explanation: IP tracking helps detect suspicious activity by alerting users when a session is accessed from an unknown location.
77. What is the purpose of session token hashing?
A) To prevent attackers from reading session tokens if they access storage
B) To improve session performance
C) To increase session expiration times
D) To store session IDs in local storage
Answer: A) To prevent attackers from reading session tokens if they access storage
Explanation: Hashing session tokens ensures that even if session storage is compromised, attackers cannot use stolen tokens.
78. Which protocol ensures secure transmission of session tokens?
A) HTTPS
B) HTTP
C) FTP
D) Telnet
Answer: A) HTTPS
Explanation: HTTPS encrypts session data, preventing session hijacking via MITM attacks.
79. What is the most secure way to transmit session IDs?
A) Over HTTPS in HttpOnly cookies
B) Through URL parameters
C) In browser local storage
D) Over HTTP with long expiration
Answer: A) Over HTTPS in HttpOnly cookies
Explanation: HttpOnly cookies over HTTPS prevent session theft via XSS and MITM attacks.
80. Why should session tokens be unique for every user session?
A) To prevent attackers from reusing session tokens
B) To allow faster session validation
C) To make session IDs easier to remember
D) To reduce server workload
Answer: A) To prevent attackers from reusing session tokens
Explanation: Unique session tokens ensure that attackers cannot reuse old session tokens for unauthorized access.
81. What security measure can prevent attackers from guessing session tokens?
A) Using strong, random session tokens
B) Storing session tokens in local storage
C) Using a short session timeout
D) Sharing session IDs across multiple users
Answer: A) Using strong, random session tokens
Explanation: Random, unpredictable session tokens make it nearly impossible for attackers to guess valid sessions.
82. How does an attacker exploit an insecure session termination process?
A) By using a still-active session token after logout
B) By forcing a user to change their password
C) By modifying session storage
D) By increasing session expiration time
Answer: A) By using a still-active session token after logout
Explanation: If sessions are not properly terminated on logout, attackers can reuse active session tokens.
83. Why is multi-factor authentication (MFA) recommended for securing sessions?
A) It adds an extra layer of authentication to prevent unauthorized access
B) It prevents session expiration
C) It increases session lifetime
D) It allows users to log in without a password
Answer: A) It adds an extra layer of authentication to prevent unauthorized access
Explanation: MFA makes session hijacking more difficult by requiring an additional authentication factor.
84. What is a major risk of using third-party authentication services?
A) Dependency on external security policies
B) Improved user experience
C) Faster authentication process
D) Reduced need for session management
Answer: A) Dependency on external security policies
Explanation: Third-party authentication services require trusting external security implementations, which may have vulnerabilities.
85. What is an effective way to prevent session fixation?
A) Assign a new session ID upon user login
B) Use the same session ID across multiple users
C) Store session IDs in URL parameters
D) Allow session reuse after logout
Answer: A) Assign a new session ID upon user login
Explanation: Regenerating session IDs after login prevents session fixation attacks.
86. What happens when a session token is exposed in logs?
A) Attackers can steal and reuse the session token
B) The session automatically expires
C) The session ID becomes unreadable
D) The session remains unaffected
Answer: A) Attackers can steal and reuse the session token
Explanation: Logging sensitive data like session tokens makes them vulnerable to session hijacking.
87. What is the best way to protect session tokens from being intercepted in a Man-in-the-Middle (MITM) attack?
A) Always use HTTPS for all session-related communications
B) Store session tokens in local storage
C) Allow session tokens to be passed via URL parameters
D) Set session cookies with a long expiration time
Answer: A) Always use HTTPS for all session-related communications
Explanation: HTTPS encrypts session data during transmission, preventing attackers from intercepting session tokens via MITM attacks.
88. What is an effective way to prevent unauthorized access to a session after a user logs out?
A) Ensure session tokens are invalidated and removed from storage
B) Keep the session ID the same for all logins
C) Allow users to resume their session without authentication
D) Store session tokens in browser local storage
Answer: A) Ensure session tokens are invalidated and removed from storage
Explanation: Proper logout mechanisms destroy session tokens on both client and server sides, preventing reuse.
89. What role does “device fingerprinting” play in session security?
A) It helps identify if a session is accessed from an unrecognized device
B) It replaces session expiration mechanisms
C) It speeds up user authentication
D) It allows session sharing across multiple devices
Answer: A) It helps identify if a session is accessed from an unrecognized device
Explanation: Device fingerprinting helps detect anomalies, such as access from new devices or locations, which could indicate session hijacking.
90. Why should developers avoid storing session IDs in hidden form fields?
A) They can be exposed to attackers through Cross-Site Scripting (XSS)
B) They make session authentication faster
C) They prevent brute-force attacks
D) They improve session persistence
Answer: A) They can be exposed to attackers through Cross-Site Scripting (XSS)
Explanation: Session IDs in hidden form fields are accessible via XSS attacks, making them vulnerable to theft.
91. What is the purpose of implementing session revocation?
A) To immediately terminate a compromised or inactive session
B) To increase session lifetime
C) To allow multiple users to share the same session
D) To store session IDs in browser storage
Answer: A) To immediately terminate a compromised or inactive session
Explanation: Session revocation ensures compromised or inactive sessions are terminated immediately to prevent misuse.
92. What is a potential risk of enabling “Remember Me” functionality for user sessions?
A) It creates long-lived session tokens that can be stolen
B) It speeds up the login process
C) It reduces the number of authentication attempts
D) It forces session expiration after every login
Answer: A) It creates long-lived session tokens that can be stolen
Explanation: Persistent login sessions increase the risk of session hijacking, especially if the device is lost or stolen.
93. Why should session identifiers be generated using cryptographic randomness?
A) To make them unpredictable and resistant to brute-force attacks
B) To reduce server processing time
C) To allow easier session sharing
D) To ensure session persistence across multiple logins
Answer: A) To make them unpredictable and resistant to brute-force attacks
Explanation: Cryptographically secure session IDs prevent attackers from guessing or predicting valid session tokens.
94. What is a key benefit of implementing session isolation between multiple user accounts?
A) It prevents one user from accessing another user’s session data
B) It speeds up authentication requests
C) It allows sessions to persist longer
D) It enables session sharing across different browsers
Answer: A) It prevents one user from accessing another user’s session data
Explanation: Session isolation ensures users cannot access or manipulate other users’ sessions, preventing unauthorized access.
95. How can attackers exploit session fixation vulnerabilities?
A) By forcing a victim to use a predetermined session ID
B) By performing a dictionary attack on login credentials
C) By injecting SQL into the authentication form
D) By encrypting session tokens on the client-side
Answer: A) By forcing a victim to use a predetermined session ID
Explanation: In session fixation attacks, an attacker forces a user to use a known session ID, allowing the attacker to take over the session after authentication.
96. What is the purpose of using refresh tokens in authentication flows?
A) To obtain new access tokens without requiring the user to log in again
B) To store user credentials securely
C) To allow sessions to persist indefinitely
D) To replace session cookies
Answer: A) To obtain new access tokens without requiring the user to log in again
Explanation: Refresh tokens provide a secure way to renew access tokens without keeping long-lived session tokens.
97. What is a potential consequence of allowing session tokens to be stored in browser cache?
A) Attackers can extract session tokens from cached data
B) It speeds up page load times
C) It improves session expiration management
D) It ensures sessions remain active across browser restarts
Answer: A) Attackers can extract session tokens from cached data
Explanation: Cached session tokens can be extracted and reused by attackers, leading to session hijacking.
98. How can session hijacking be prevented in WebSockets-based applications?
A) Use token-based authentication and restrict access via secure channels
B) Store session IDs in local storage for easy access
C) Allow session reuse across multiple devices
D) Disable WebSocket encryption
Answer: A) Use token-based authentication and restrict access via secure channels
Explanation: WebSockets should use secure, token-based authentication mechanisms to prevent unauthorized access and hijacking.
99. What security measure helps protect against session enumeration attacks?
A) Generating long, unpredictable session IDs
B) Storing session tokens in URLs
C) Allowing session reuse after logout
D) Using static session IDs
Answer: A) Generating long, unpredictable session IDs
Explanation: Session enumeration attacks occur when attackers guess session tokens, which can be prevented by using long, random session identifiers.
100. What is the primary security risk of allowing users to remain logged in indefinitely?
A) It increases the risk of unauthorized access if a session is hijacked
B) It improves user experience
C) It speeds up the authentication process
D) It reduces brute-force attack attempts
Answer: A) It increases the risk of unauthorized access if a session is hijacked
Explanation: Long-lived sessions make it easier for attackers to hijack and reuse sessions, increasing the risk of unauthorized access.
101. What is an effective way to detect session hijacking in real-time?
A) Monitor user behavior for anomalies such as IP and device changes
B) Allow session reuse from multiple locations
C) Store session tokens in browser local storage
D) Extend session timeout indefinitely
Answer: A) Monitor user behavior for anomalies such as IP and device changes
Explanation: Real-time monitoring of session activity, such as detecting changes in IP address, geolocation, or device fingerprinting, helps identify session hijacking attempts.
102. Why should session cookies be marked as “SameSite=Strict” in web applications?
A) To prevent cookies from being sent in cross-site requests, mitigating CSRF attacks
B) To allow third-party websites to access session tokens
C) To store session tokens in browser local storage
D) To make session cookies persistent across multiple logins
Answer: A) To prevent cookies from being sent in cross-site requests, mitigating CSRF attacks
Explanation: Setting SameSite=Strict ensures that session cookies are only sent in first-party requests, reducing the risk of CSRF attacks.
103. What is the best security practice for handling expired session tokens?
A) Invalidate them on both client and server sides immediately
B) Store them in local storage for future reference
C) Allow expired tokens to be refreshed automatically
D) Extend their validity for up to 24 hours
Answer: A) Invalidate them on both client and server sides immediately
Explanation: Expired session tokens should be removed from both client and server storage to prevent reuse in session hijacking or replay attacks.
104. What is the purpose of setting an inactivity timeout in session management?
A) To automatically log out users after a period of inactivity
B) To allow users to stay logged in indefinitely
C) To store session IDs in browser cache
D) To encrypt session tokens for additional security
Answer: A) To automatically log out users after a period of inactivity
Explanation: Inactivity timeouts reduce the risk of unauthorized access by logging out users who leave their sessions open but unattended.
105. How can session tokens be protected from Cross-Site Scripting (XSS) attacks?
A) By storing them in HTTP-only cookies
B) By placing them in local storage for faster access
C) By sending them in URL parameters
D) By making them visible to JavaScript
Answer: A) By storing them in HTTP-only cookies
Explanation: HTTP-only cookies prevent JavaScript from accessing session tokens, mitigating XSS-based token theft.
106. Why should session cookies not be stored in a browser’s persistent storage?
A) Persistent storage can be accessed by attackers through XSS or malware
B) It improves session loading time
C) It allows session reuse across devices
D) It prevents CSRF attacks
Answer: A) Persistent storage can be accessed by attackers through XSS or malware
Explanation: Persistent storage (localStorage, sessionStorage, IndexedDB) is accessible via JavaScript, making it a prime target for XSS attacks.
107. How does token expiration help in session security?
A) It reduces the risk of replay attacks by ensuring tokens are only valid for a short period
B) It increases the speed of authentication requests
C) It allows session sharing across multiple devices
D) It prevents the need for user authentication
Answer: A) It reduces the risk of replay attacks by ensuring tokens are only valid for a short period
Explanation: Short-lived session tokens reduce the risk of session hijacking, as expired tokens cannot be reused in replay attacks.
108. What should be done if an application detects an unauthorized session?
A) Immediately terminate the session and alert the user
B) Extend the session timeout for verification
C) Store the session ID for future analysis
D) Allow the session to continue for monitoring
Answer: A) Immediately terminate the session and alert the user
Explanation: Immediate session termination prevents further unauthorized access, and notifying the user allows them to take corrective action.
109. Why is token rotation important in secure session management?
A) It prevents attackers from reusing stolen session tokens
B) It speeds up the authentication process
C) It allows session reuse across multiple devices
D) It removes the need for HTTPS
Answer: A) It prevents attackers from reusing stolen session tokens
Explanation: Token rotation periodically refreshes session tokens, reducing the risk of session hijacking and replay attacks.
110. How does implementing session pinning enhance security?
A) It binds the session to a specific device or IP, preventing unauthorized reuse
B) It allows session sharing across multiple devices
C) It stores session tokens in browser cache
D) It removes the need for multi-factor authentication
Answer: A) It binds the session to a specific device or IP, preventing unauthorized reuse
Explanation: Session pinning restricts sessions to a specific device or IP, making hijacked session tokens useless to attackers.
111. What is the main reason to enforce session expiration even for active users?
A) To limit the impact of a stolen session token
B) To force users to log in more frequently
C) To improve application speed
D) To store session data persistently
Answer: A) To limit the impact of a stolen session token
Explanation: Enforcing session expiration ensures that even if a session token is stolen, it will expire after a set period, reducing its usability.
112. Why should session IDs be generated using a cryptographically secure random function?
A) To prevent attackers from predicting valid session tokens
B) To allow easier session management
C) To make session persistence more effective
D) To store session IDs in URLs
Answer: A) To prevent attackers from predicting valid session tokens
Explanation: Predictable session IDs can be guessed by attackers, allowing them to hijack user sessions.
113. What is the risk of allowing concurrent sessions for the same user account?
A) Attackers may hijack a session without terminating existing ones
B) It improves user experience by allowing multiple logins
C) It speeds up authentication requests
D) It prevents session expiration
Answer: A) Attackers may hijack a session without terminating existing ones
Explanation: Allowing multiple active sessions increases the risk of session hijacking, as compromised sessions remain accessible.
114. What type of attack is mitigated by implementing CSRF tokens?
A) Cross-Site Request Forgery (CSRF) attacks
B) SQL Injection attacks
C) Command Injection attacks
D) Buffer Overflow attacks
Answer: A) Cross-Site Request Forgery (CSRF) attacks
Explanation: CSRF tokens prevent unauthorized requests from being executed on behalf of an authenticated user.
115. How can a security team identify session hijacking attempts?
A) By analyzing logs for unusual session behavior
B) By increasing session expiration time
C) By using static session IDs
D) By storing session data in local storage
Answer: A) By analyzing logs for unusual session behavior
Explanation: Monitoring session logs for anomalies (e.g., multiple logins from different locations) helps detect session hijacking.
116. What is a good practice for handling session tokens in mobile applications?
A) Store them securely using platform-specific secure storage
B) Store them in local storage for easy access
C) Transmit them in URL parameters
D) Keep them valid indefinitely
Answer: A) Store them securely using platform-specific secure storage
Explanation: Secure storage (e.g., Android Keystore, iOS Keychain) prevents session token theft on mobile devices.
117. What is the most effective way to protect against session replay attacks?
A) Implementing session tokens with nonce and expiration time
B) Storing session tokens in local storage
C) Using static session IDs for all users
D) Allowing session reuse across multiple devices
Answer: A) Implementing session tokens with nonce and expiration time
Explanation: Using a nonce (unique one-time token) and short expiration time prevents attackers from reusing captured session tokens in session replay attacks.
118. Why should session cookies have the “Secure” flag enabled?
A) To prevent session tokens from being sent over unencrypted HTTP connections
B) To allow cookies to be accessed via JavaScript
C) To store cookies in local storage
D) To make session expiration configurable
Answer: A) To prevent session tokens from being sent over unencrypted HTTP connections
Explanation: The Secure flag ensures that cookies are only transmitted over HTTPS, preventing man-in-the-middle (MITM) attacks.
119. What is the main benefit of implementing a session inactivity timeout?
A) It logs out users who are inactive, reducing the window for session hijacking
B) It keeps the session active for longer periods
C) It speeds up login attempts
D) It allows session IDs to be reused
Answer: A) It logs out users who are inactive, reducing the window for session hijacking
Explanation: An inactivity timeout ensures that abandoned sessions are automatically terminated, reducing the risk of session hijacking.
120. How does enforcing an absolute session timeout improve security?
A) It limits the maximum time a session can remain active, even if the user is active
B) It prevents users from logging out manually
C) It allows users to remain logged in indefinitely
D) It forces users to re-enter passwords on every request
Answer: A) It limits the maximum time a session can remain active, even if the user is active
Explanation: Absolute session timeout ensures that all sessions expire after a set period, reducing the risk of long-term session hijacking.
121. What is a key security feature of OAuth-based session management?
A) Using access tokens with short expiration times and refresh tokens
B) Storing session tokens in URL parameters
C) Using static session tokens
D) Allowing session sharing across multiple users
Answer: A) Using access tokens with short expiration times and refresh tokens
Explanation: Short-lived access tokens combined with refresh tokens reduce the risk of session hijacking while maintaining usability.
122. How does logging session activity help improve security?
A) It helps detect unauthorized access attempts and anomalies
B) It allows users to recover old session tokens
C) It improves website speed
D) It prevents session expiration
Answer: A) It helps detect unauthorized access attempts and anomalies
Explanation: Monitoring session logs for unusual activity (e.g., logins from different locations) helps detect session hijacking.
123. Why should session tokens never be stored in browser cache?
A) Attackers can extract session tokens from cached data
B) It improves page loading speed
C) It ensures users stay logged in longer
D) It prevents XSS attacks
Answer: A) Attackers can extract session tokens from cached data
Explanation: Browser caching can store sensitive session data, making it vulnerable to session hijacking attacks.
124. What is a major risk of allowing session tokens in URL parameters?
A) They can be exposed in browser history, logs, and referrer headers
B) They prevent CSRF attacks
C) They improve session security
D) They help users log in faster
Answer: A) They can be exposed in browser history, logs, and referrer headers
Explanation: Session tokens in URLs can be recorded in logs and shared via referrer headers, making them susceptible to theft.
125. How can an attacker exploit session fixation vulnerabilities?
A) By forcing a victim to use a predetermined session ID before authentication
B) By injecting SQL into the authentication form
C) By encrypting session tokens on the client side
D) By performing a brute-force attack on login credentials
Answer: A) By forcing a victim to use a predetermined session ID before authentication
Explanation: Session fixation attacks force users to authenticate using a pre-set session ID, which the attacker can then hijack.
126. What is an effective mitigation against Cross-Site Request Forgery (CSRF) attacks in session-based authentication?
A) Implementing CSRF tokens with every state-changing request
B) Using weak passwords for authentication
C) Storing session IDs in local storage
D) Allowing authentication requests from any domain
Answer: A) Implementing CSRF tokens with every state-changing request
Explanation: CSRF tokens validate that the request is initiated by the authenticated user, preventing unauthorized session actions.
127. Why should applications restrict session access based on geolocation?
A) To detect unauthorized access from unusual locations
B) To increase website loading speed
C) To allow users to log in from anywhere
D) To ensure sessions persist indefinitely
Answer: A) To detect unauthorized access from unusual locations
Explanation: Restricting session access by geolocation helps detect and block unauthorized session hijacking attempts.
128. How does using multi-factor authentication (MFA) enhance session security?
A) It adds an extra layer of verification, making session hijacking more difficult
B) It allows users to log in without passwords
C) It increases session expiration time
D) It makes session cookies accessible in local storage
Answer: A) It adds an extra layer of verification, making session hijacking more difficult
Explanation: MFA ensures that even if an attacker steals a session token, they cannot access the session without an additional authentication factor.
129. What is the best response to detecting a session hijacking attempt?
A) Immediately terminate the session and require reauthentication
B) Extend the session expiration time
C) Allow the session to continue for monitoring
D) Encrypt all session tokens
Answer: A) Immediately terminate the session and require reauthentication
Explanation: Immediate session termination prevents further unauthorized access, and re-authentication ensures only legitimate users regain access.
130. What is a good security practice for managing API session tokens?
A) Use short-lived access tokens with a secure refresh mechanism
B) Store API tokens in local storage
C) Allow session tokens to be shared across applications
D) Use the same session token for multiple users
Answer: A) Use short-lived access tokens with a secure refresh mechanism
Explanation: Short-lived API tokens reduce the risk of exposure, and refresh tokens allow secure session renewal without long-lived access tokens.
131. What is the primary purpose of session invalidation upon user logout?
A) To prevent the reuse of session tokens by attackers
B) To improve page loading speed
C) To allow users to resume their session later
D) To store session data for future use
Answer: A) To prevent the reuse of session tokens by attackers
Explanation: Session invalidation ensures that session tokens cannot be reused after logout, preventing session hijacking.
132. Why is it important to limit the number of concurrent sessions per user?
A) To prevent attackers from hijacking multiple active sessions
B) To reduce server load
C) To improve authentication speed
D) To allow users to log in from multiple locations
Answer: A) To prevent attackers from hijacking multiple active sessions
Explanation: Restricting concurrent sessions reduces the attack surface, making it harder for hijacked sessions to be exploited.
133. What is the key difference between session hijacking and session fixation?
A) Session hijacking involves stealing an active session, whereas session fixation involves forcing a user to use a pre-defined session ID
B) Session fixation happens after authentication, while session hijacking occurs before login
C) Session hijacking only affects API-based authentication
D) Session fixation requires the use of HTTPS
Answer: A) Session hijacking involves stealing an active session, whereas session fixation involves forcing a user to use a pre-defined session ID
Explanation: Session hijacking steals an existing session, while session fixation forces a user to authenticate with a known session ID.
134. How can an attacker exploit a weak session expiration policy?
A) By reusing old session tokens that have not expired
B) By bypassing authentication entirely
C) By forcing the user to log out manually
D) By deleting session tokens from browser storage
Answer: A) By reusing old session tokens that have not expired
Explanation: If session tokens do not expire properly, attackers can reuse stolen or intercepted session tokens indefinitely.
135. What is a best practice for handling session termination on the server?
A) Delete the session from the server and client simultaneously
B) Keep session IDs active for at least 24 hours
C) Only remove the session ID from the client side
D) Allow session tokens to be reused across multiple logins
Answer: A) Delete the session from the server and client simultaneously
Explanation: Session termination should ensure that tokens are removed from both the server and client sides to prevent session reuse.
136. What happens if session tokens are not rotated frequently?
A) They remain valid longer, increasing the risk of session hijacking
B) Users must log in more frequently
C) Session IDs become unreadable
D) Sessions automatically expire after one request
Answer: A) They remain valid longer, increasing the risk of session hijacking
Explanation: Regular token rotation helps limit the impact of session hijacking by ensuring old tokens become invalid.
137. What security issue arises from improperly implemented session storage mechanisms?
A) Attackers can access session data if stored insecurely
B) Users must log in repeatedly
C) Session duration becomes unpredictable
D) Session cookies are deleted faster
Answer: A) Attackers can access session data if stored insecurely
Explanation: If session data is stored improperly (e.g., in local storage), attackers can exploit XSS to steal session tokens.
138. Why should authentication tokens be time-limited?
A) To minimize the risk of token reuse in case of theft
B) To improve website performance
C) To ensure sessions persist indefinitely
D) To make session tracking easier
Answer: A) To minimize the risk of token reuse in case of theft
Explanation: Short-lived authentication tokens reduce the risk of attackers using stolen tokens for long periods.
139. What is an example of an insecure session fixation attack scenario?
A) An attacker provides a user with a known session ID before login
B) A user logs out of their account manually
C) A session token expires too quickly
D) A session token is stored securely in an HttpOnly cookie
Answer: A) An attacker provides a user with a known session ID before login
Explanation: Session fixation attacks force users to authenticate using an attacker-controlled session ID, allowing the attacker to take over the session.
140. What is the most effective way to prevent session token theft?
A) Encrypt session tokens in transit and use HttpOnly and Secure cookie attributes
B) Store session tokens in local storage
C) Allow session IDs in URLs
D) Keep sessions active indefinitely
Answer: A) Encrypt session tokens in transit and use HttpOnly and Secure cookie attributes
Explanation: Encrypting tokens in transit (HTTPS) and setting secure cookie attributes helps protect session tokens from theft.
141. How can multi-factor authentication (MFA) reduce the impact of session hijacking?
A) It requires an additional authentication factor even if a session is stolen
B) It allows attackers to bypass password requirements
C) It eliminates the need for session expiration
D) It forces users to log in multiple times
Answer: A) It requires an additional authentication factor even if a session is stolen
Explanation: MFA makes session hijacking less effective because attackers would still need access to the second authentication factor.
142. What is the role of session encryption in web security?
A) It ensures session tokens cannot be easily read or modified if intercepted
B) It speeds up authentication
C) It prevents brute-force attacks
D) It keeps session IDs persistent
Answer: A) It ensures session tokens cannot be easily read or modified if intercepted
Explanation: Session encryption ensures that even if session tokens are intercepted, they remain unreadable to attackers.
143. Why is it important to restrict session access based on device or browser fingerprinting?
A) It helps detect unauthorized session access from unknown devices
B) It speeds up login processes
C) It prevents users from logging in on multiple devices
D) It makes session tokens last longer
Answer: A) It helps detect unauthorized session access from unknown devices
Explanation: Browser or device fingerprinting helps detect suspicious activity, such as login attempts from an unfamiliar device.
144. What is a good practice for managing expired session tokens?
A) Invalidate and remove them immediately from both the client and server
B) Keep them stored for future use
C) Allow them to be reused for the next session
D) Extend their expiration time
Answer: A) Invalidate and remove them immediately from both the client and server
Explanation: Expired session tokens should be removed to prevent reuse in session hijacking or replay attacks.
145. Why is logging failed session authentication attempts important?
A) To detect brute-force attacks or unauthorized login attempts
B) To track user activity for analytics
C) To increase session timeout values
D) To allow session tokens to be reused
Answer: A) To detect brute-force attacks or unauthorized login attempts
Explanation: Logging failed authentication attempts helps detect and mitigate brute-force attacks and unauthorized access attempts.
146. What is an effective mitigation for session hijacking via phishing attacks?
A) Implementing strict authentication checks, including MFA
B) Allowing session sharing across multiple devices
C) Using short-lived session tokens but no additional authentication
D) Allowing passwordless authentication
Answer: A) Implementing strict authentication checks, including MFA
Explanation: MFA and other authentication checks help ensure that session hijacking via phishing attempts is unsuccessful.
147. What is the role of an anti-CSRF token in session security?
A) It prevents unauthorized state-changing actions from being executed on behalf of an authenticated user
B) It encrypts session tokens for added security
C) It allows users to remain logged in indefinitely
D) It prevents session tokens from being sent over HTTP
Answer: A) It prevents unauthorized state-changing actions from being executed on behalf of an authenticated user
Explanation: Anti-CSRF tokens ensure that only authorized requests are executed, protecting against Cross-Site Request Forgery (CSRF) attacks.
148. What security risk arises from using the same session ID across multiple devices?
A) If one device is compromised, all active sessions can be hijacked
B) It speeds up login attempts
C) It improves session persistence
D) It prevents session expiration
Answer: A) If one device is compromised, all active sessions can be hijacked
Explanation: Allowing the same session ID on multiple devices increases the risk of session hijacking, as attackers can reuse stolen session tokens.
149. Why is it important to hash session tokens when stored in a database?
A) To prevent attackers from using leaked session tokens even if the database is compromised
B) To allow session reuse across multiple users
C) To make session expiration automatic
D) To store session IDs in URLs
Answer: A) To prevent attackers from using leaked session tokens even if the database is compromised
Explanation: Hashing session tokens ensures that even if the database is breached, attackers cannot directly use stolen session tokens.
150. How can implementing session recording help in security monitoring?
A) By tracking unusual session behavior and identifying potential hijacking attempts
B) By storing session IDs in local storage
C) By allowing unlimited session lifetimes
D) By preventing session expiration
Answer: A) By tracking unusual session behavior and identifying potential hijacking attempts
Explanation: Session recording helps detect suspicious behavior, such as multiple logins from different locations, unusual session durations, or unauthorized access attempts.
151. Why should session cookies not be accessible to JavaScript?
A) To prevent attackers from stealing them via Cross-Site Scripting (XSS)
B) To speed up authentication
C) To allow session persistence across multiple logins
D) To improve website performance
Answer: A) To prevent attackers from stealing them via Cross-Site Scripting (XSS)
Explanation: Cookies marked as HttpOnly cannot be accessed by JavaScript, making them safe from XSS-based session hijacking.
152. What is the most secure method for session termination when a user logs out?
A) Destroy the session on both client and server, and remove session cookies
B) Only delete session cookies on the client side
C) Keep session tokens active for at least 24 hours after logout
D) Store the session token in local storage
Answer: A) Destroy the session on both client and server, and remove session cookies
Explanation: Secure session termination involves removing session tokens from both the client and server, ensuring they cannot be reused.
153. What is a key benefit of implementing token-based authentication instead of session-based authentication?
A) Tokens can be easily invalidated and refreshed without affecting other sessions
B) Tokens require less server storage
C) Tokens do not require encryption
D) Tokens allow authentication without passwords
Answer: A) Tokens can be easily invalidated and refreshed without affecting other sessions
Explanation: Token-based authentication allows stateless authentication, and tokens can be revoked or refreshed independently of sessions.
154. How does session hijacking differ from Cross-Site Scripting (XSS)?
A) Session hijacking involves stealing session tokens, while XSS injects malicious scripts into a web application
B) Session hijacking and XSS are identical attacks
C) XSS can only be used in network-based attacks
D) Session hijacking always requires physical access to the victim’s device
Answer: A) Session hijacking involves stealing session tokens, while XSS injects malicious scripts into a web application
Explanation: Session hijacking steals active session tokens, whereas XSS is used to inject and execute malicious JavaScript code on the client side.
155. What is a potential risk of allowing long-lived refresh tokens in API authentication?
A) If stolen, they can be used to generate new access tokens indefinitely
B) They improve user experience by reducing login frequency
C) They allow users to authenticate faster
D) They eliminate the need for multi-factor authentication
Answer: A) If stolen, they can be used to generate new access tokens indefinitely
Explanation: Long-lived refresh tokens must be carefully managed, as attackers can use them to continuously generate new access tokens if stolen.
156. Why should session identifiers be randomly generated and sufficiently long?
A) To prevent attackers from guessing valid session tokens
B) To make authentication easier for users
C) To allow sessions to persist longer
D) To make session IDs easier to store
Answer: A) To prevent attackers from guessing valid session tokens
Explanation: Random and long session tokens make brute-force guessing impractical, improving session security.
157. What is a key advantage of Single Sign-On (SSO) in session management?
A) Users only need to authenticate once for multiple services
B) It allows for multiple active session tokens
C) It eliminates the need for encryption
D) It prevents session expiration
Answer: A) Users only need to authenticate once for multiple services
Explanation: SSO allows users to log in once and access multiple services securely, reducing password fatigue and enhancing session management.
158. Why is it necessary to verify the “Referer” and “Origin” headers in sensitive requests?
A) To prevent Cross-Site Request Forgery (CSRF) attacks
B) To increase session expiration time
C) To store session data in cookies
D) To allow cross-domain authentication
Answer: A) To prevent Cross-Site Request Forgery (CSRF) attacks
Explanation: Checking the Referer and Origin headers ensures that sensitive requests come from a trusted source, helping to prevent CSRF attacks.
159. What is the purpose of setting a “SameSite” attribute for session cookies?
A) To prevent cookies from being sent in cross-site requests, mitigating CSRF attacks
B) To store session cookies permanently
C) To allow session reuse on different websites
D) To encrypt session cookies
Answer: A) To prevent cookies from being sent in cross-site requests, mitigating CSRF attacks
Explanation: The SameSite attribute ensures that session cookies are only sent with requests originating from the same site, reducing the risk of CSRF attacks.
160. How can an attacker exploit a misconfigured session expiration policy?
A) By reusing old session tokens that have not been invalidated
B) By forcing users to log out frequently
C) By reducing session timeout values
D) By enabling multi-factor authentication
Answer: A) By reusing old session tokens that have not been invalidated
Explanation: If session tokens are not properly expired and invalidated, attackers can reuse stolen session tokens, leading to session hijacking and unauthorized access.
161. Why should session tokens not be predictable?
A) Predictable tokens can be easily guessed and used for session hijacking
B) Predictable tokens speed up authentication
C) Predictable tokens allow easier session tracking
D) Predictable tokens prevent brute-force attacks
Answer: A) Predictable tokens can be easily guessed and used for session hijacking
Explanation: Random, high-entropy session tokens prevent attackers from guessing valid session tokens through brute-force methods.
162. What happens if session IDs are stored in URL parameters?
A) They can be exposed in browser history, logs, and referrer headers, leading to hijacking risks
B) They become more secure because they are encrypted
C) They ensure faster authentication
D) They improve session persistence across multiple devices
Answer: A) They can be exposed in browser history, logs, and referrer headers, leading to hijacking risks
Explanation: Session tokens in URLs are visible in logs and referrer headers, making them vulnerable to session hijacking.
163. How does session expiration improve security?
A) It limits the duration an attacker can use a stolen session token
B) It allows users to stay logged in longer
C) It prevents users from needing to reauthenticate
D) It eliminates the need for HTTPS
Answer: A) It limits the duration an attacker can use a stolen session token
Explanation: Sessions that expire reduce the risk of hijacking by ensuring that stolen tokens cannot be used indefinitely.
164. Why is it important to use secure storage mechanisms for session tokens in mobile apps?
A) To prevent token theft from malware or rooted/jailbroken devices
B) To make session tokens easily accessible
C) To allow session reuse across different devices
D) To eliminate the need for authentication
Answer: A) To prevent token theft from malware or rooted/jailbroken devices
Explanation: Secure storage mechanisms (like iOS Keychain and Android Keystore) protect session tokens from malicious apps and malware.
165. What security risk does failing to enforce session uniqueness create?
A) Users may be able to access other users’ sessions
B) It slows down authentication
C) It increases server storage requirements
D) It prevents session expiration
Answer: A) Users may be able to access other users’ sessions
Explanation: If session IDs are not unique per user and session, attackers could reuse session tokens to gain unauthorized access.
166. What is a key security benefit of session token rotation?
A) It reduces the impact of session hijacking by ensuring stolen tokens become invalid
B) It speeds up authentication
C) It prevents the need for multi-factor authentication
D) It makes session tokens easier to remember
Answer: A) It reduces the impact of session hijacking by ensuring stolen tokens become invalid
Explanation: Rotating session tokens ensures that even if an attacker steals a token, it will be replaced with a new one quickly.
167. What happens if a session timeout is too short?
A) Users will frequently be logged out, reducing usability
B) Sessions become more secure by default
C) Attackers can hijack the session more easily
D) The server will store session data indefinitely
Answer: A) Users will frequently be logged out, reducing usability
Explanation: Short session timeouts can negatively impact user experience, causing frustration and unnecessary reauthentication.
168. Why should session cookies be marked with the “HttpOnly” attribute?
A) To prevent JavaScript from accessing the session cookie, mitigating XSS attacks
B) To allow users to log in faster
C) To store session cookies permanently
D) To improve authentication speed
Answer: A) To prevent JavaScript from accessing the session cookie, mitigating XSS attacks
Explanation: HttpOnly cookies prevent JavaScript from accessing session tokens, reducing the risk of XSS-based session theft.
169. How does implementing a logout mechanism enhance security?
A) It ensures that session tokens are invalidated, preventing reuse
B) It increases the session expiration time
C) It allows attackers to access active sessions
D) It speeds up user authentication
Answer: A) It ensures that session tokens are invalidated, preventing reuse
Explanation: Logging out properly destroys the session token, preventing an attacker from reusing it.
170. What role does session binding play in securing user sessions?
A) It links a session to a specific device or IP, preventing unauthorized reuse
B) It makes session tokens last longer
C) It allows session sharing across multiple devices
D) It improves authentication speed
Answer: A) It links a session to a specific device or IP, preventing unauthorized reuse
Explanation: Session binding ensures that session tokens are valid only when used from the expected device or IP.
171. How can developers prevent brute-force attacks against session IDs?
A) Use long, cryptographically random session tokens
B) Store session IDs in browser local storage
C) Use sequential session IDs for easier tracking
D) Allow session reuse across multiple users
Answer: A) Use long, cryptographically random session tokens
Explanation: Long, unpredictable session tokens prevent attackers from guessing valid session IDs.
172. What is the main reason for enforcing session expiration even for active users?
A) To limit the duration that an attacker can use a stolen session
B) To force users to log in frequently
C) To reduce server memory usage
D) To prevent session tokens from being stored in cookies
Answer: A) To limit the duration that an attacker can use a stolen session
Explanation: Even if a user remains active, expiring sessions periodically ensures that stolen session tokens become useless over time.
173. How can monitoring failed login attempts improve session security?
A) It helps detect brute-force and unauthorized access attempts
B) It speeds up authentication
C) It allows users to log in from multiple devices
D) It prevents session expiration
Answer: A) It helps detect brute-force and unauthorized access attempts
Explanation: Monitoring failed logins helps detect attacks attempting to guess passwords or session tokens.
174. Why should session data not be stored in client-side storage like localStorage?
A) It can be accessed by malicious scripts via XSS attacks
B) It speeds up session authentication
C) It prevents session expiration
D) It allows session reuse across different devices
Answer: A) It can be accessed by malicious scripts via XSS attacks
Explanation: Storing session data in localStorage makes it vulnerable to XSS attacks, allowing attackers to steal session tokens.
175. What is an advantage of using short-lived access tokens with refresh tokens?
A) They reduce the risk of stolen tokens being reused for long periods
B) They eliminate the need for session expiration
C) They make session authentication faster
D) They allow sessions to persist indefinitely
Answer: A) They reduce the risk of stolen tokens being reused for long periods
Explanation: Short-lived access tokens ensure that even if a token is stolen, it expires quickly, while refresh tokens allow secure reauthentication.
176. Why should session activity be logged and monitored?
A) To detect unauthorized access attempts and anomalies
B) To improve website speed
C) To allow session reuse
D) To prevent authentication failures
Answer: A) To detect unauthorized access attempts and anomalies
Explanation: Logging session activity helps identify session hijacking attempts and suspicious user behavior.
177. Why should session tokens be invalidated on password reset?
A) To prevent attackers from reusing a compromised session after a password change
B) To improve website performance
C) To allow users to log in faster
D) To enable session persistence across multiple logins
Answer: A) To prevent attackers from reusing a compromised session after a password change
Explanation: Invalidating session tokens on password reset ensures that attackers who have hijacked a session cannot continue using it.
178. What is the impact of using session tokens with weak entropy?
A) They can be guessed or brute-forced, leading to session hijacking
B) They improve authentication speed
C) They make session expiration unnecessary
D) They allow session reuse across multiple logins
Answer: A) They can be guessed or brute-forced, leading to session hijacking
Explanation: Session tokens must be generated using a cryptographically secure random function to prevent attackers from guessing them.
179. How does Content Security Policy (CSP) help protect session tokens?
A) It prevents malicious scripts from executing and stealing session cookies via XSS
B) It encrypts session tokens stored in local storage
C) It stores session data securely on the client side
D) It prevents session expiration
Answer: A) It prevents malicious scripts from executing and stealing session cookies via XSS
Explanation: A properly configured CSP blocks unauthorized scripts, reducing the risk of session hijacking via XSS attacks.
180. What is a major disadvantage of using persistent session cookies?
A) If stolen, they allow attackers to access the user’s session for an extended period
B) They improve website performance
C) They prevent session hijacking
D) They reduce the need for authentication
Answer: A) If stolen, they allow attackers to access the user’s session for an extended period
Explanation: Persistent session cookies keep users logged in for long periods, making them a target for attackers who steal them.
181. How does an attacker exploit a missing “Secure” flag in session cookies?
A) By intercepting session cookies sent over an unencrypted HTTP connection
B) By brute-forcing session tokens
C) By injecting SQL into authentication fields
D) By modifying the session expiration time
Answer: A) By intercepting session cookies sent over an unencrypted HTTP connection
Explanation: Without the Secure flag, session cookies can be transmitted over HTTP, making them vulnerable to MITM (Man-in-the-Middle) attacks.
182. What is the purpose of setting a session timeout warning for users?
A) To notify users before automatic logout due to inactivity
B) To prevent CSRF attacks
C) To store session tokens securely
D) To encrypt session cookies
Answer: A) To notify users before automatic logout due to inactivity
Explanation: A session timeout warning allows users to take action before being automatically logged out, improving usability while maintaining security.
183. What is an effective mitigation against session fixation in web applications?
A) Regenerating the session ID after authentication
B) Keeping session IDs the same for every login
C) Using long-lived session cookies
D) Storing session tokens in local storage
Answer: A) Regenerating the session ID after authentication
Explanation: Regenerating the session ID upon login ensures that an attacker cannot force a victim to use a pre-determined session token.
184. What type of attack exploits the reuse of previously used session tokens?
A) Session replay attack
B) Cross-Site Request Forgery (CSRF)
C) SQL Injection
D) Clickjacking
Answer: A) Session replay attack
Explanation: In a session replay attack, an attacker intercepts and reuses a previously valid session token to impersonate a user.
185. Why should session storage mechanisms avoid using predictable session IDs?
A) Predictable session IDs make it easy for attackers to guess and hijack sessions
B) Predictable session IDs improve authentication speed
C) Predictable session IDs reduce the risk of CSRF attacks
D) Predictable session IDs help store session data efficiently
Answer: A) Predictable session IDs make it easy for attackers to guess and hijack sessions
Explanation: Attackers can guess sequential or weak session IDs and gain unauthorized access to user sessions.
186. What is a good practice for ensuring session tokens are protected in Single Page Applications (SPAs)?
A) Store them in HTTP-only secure cookies instead of local storage
B) Store them in browser local storage for easy access
C) Keep session tokens valid indefinitely
D) Use static session IDs
Answer: A) Store them in HTTP-only secure cookies instead of local storage
Explanation: Local storage is vulnerable to XSS attacks, whereas HTTP-only cookies help protect session tokens from unauthorized access.
187. What should happen when a session expires?
A) The user should be logged out and required to reauthenticate
B) The session token should be renewed automatically without user action
C) The session should persist across multiple devices
D) The session should remain active but hidden from the user
Answer: A) The user should be logged out and required to reauthenticate
Explanation: Expired sessions should be invalidated to prevent attackers from reusing old session tokens.
188. Why is limiting the lifetime of refresh tokens important?
A) To reduce the risk of attackers using stolen refresh tokens indefinitely
B) To improve website performance
C) To allow session reuse across different users
D) To make session authentication faster
Answer: A) To reduce the risk of attackers using stolen refresh tokens indefinitely
Explanation: Limiting the lifetime of refresh tokens minimizes the risk of long-term token abuse in case of theft.
189. What is an important security consideration for logging out users from multiple devices?
A) Ensuring all session tokens across devices are invalidated simultaneously
B) Keeping some session tokens active for user convenience
C) Allowing the user to manually delete session tokens
D) Encrypting the session tokens stored on each device
Answer: A) Ensuring all session tokens across devices are invalidated simultaneously
Explanation: When a user logs out, all active session tokens should be invalidated to prevent attackers from maintaining access on any device.
190. What is a primary reason for using OAuth or OpenID Connect for session management?
A) They allow secure, token-based authentication without persistent sessions
B) They eliminate the need for multi-factor authentication
C) They make session storage unnecessary
D) They enable session tokens to last indefinitely
Answer: A) They allow secure, token-based authentication without persistent sessions
Explanation: OAuth and OpenID Connect provide a secure framework for authentication using access tokens, reducing the need for long-lived session storage.
191. What is the purpose of using a session inactivity timeout in web applications?
A) To automatically log out users who have been idle for a specific period
B) To allow session reuse across multiple devices
C) To make session cookies last longer
D) To store session tokens in local storage
Answer: A) To automatically log out users who have been idle for a specific period
Explanation: An inactivity timeout ensures that unused sessions expire, reducing the risk of session hijacking and unauthorized access.
192. How does session hijacking via packet sniffing work?
A) Attackers intercept unencrypted session tokens transmitted over the network
B) Attackers modify session expiration settings
C) Attackers guess session tokens through brute-force attacks
D) Attackers inject malicious JavaScript into session storage
Answer: A) Attackers intercept unencrypted session tokens transmitted over the network
Explanation: Session hijacking via packet sniffing occurs when session tokens are transmitted over an unencrypted connection, allowing attackers to steal them.
193. What is a major risk of implementing “Keep me logged in” functionality without additional security measures?
A) Stolen persistent session tokens can be used to hijack user sessions indefinitely
B) It prevents CSRF attacks
C) It ensures session tokens expire quickly
D) It forces users to log in more frequently
Answer: A) Stolen persistent session tokens can be used to hijack user sessions indefinitely
Explanation: Without additional security measures, long-lived session tokens in “Keep me logged in” functionality can be misused if stolen.
194. Why is it important to validate session tokens on every request?
A) To detect unauthorized access attempts and expired sessions
B) To improve website performance
C) To allow multiple users to share the same session
D) To make session tokens last longer
Answer: A) To detect unauthorized access attempts and expired sessions
Explanation: Validating session tokens on every request ensures that only legitimate, active sessions are allowed, preventing hijacking.
195. What is an effective way to prevent session hijacking over public Wi-Fi networks?
A) Use VPN and enforce HTTPS for all session-related communication
B) Store session tokens in local storage for quick access
C) Use the same session ID across all devices
D) Set session tokens with a long expiration time
Answer: A) Use VPN and enforce HTTPS for all session-related communication
Explanation: Public Wi-Fi networks are vulnerable to MITM attacks, but using a VPN and enforcing HTTPS can protect session tokens from being intercepted.
196. How does setting session cookies with the “SameSite=Strict” attribute improve security?
A) It prevents session cookies from being sent with cross-site requests, mitigating CSRF attacks
B) It makes session cookies persist across browser sessions
C) It allows third-party websites to access session data
D) It speeds up authentication
Answer: A) It prevents session cookies from being sent with cross-site requests, mitigating CSRF attacks
Explanation: SameSite=Strict ensures that session cookies are not sent with cross-site requests, reducing the risk of CSRF attacks.
197. What security concern arises when using JWT (JSON Web Tokens) for session management?
A) If not invalidated properly, stolen JWTs can be used until they expire
B) JWTs require additional authentication
C) JWTs always expire after one request
D) JWTs cannot be used for authentication
Answer: A) If not invalidated properly, stolen JWTs can be used until they expire
Explanation: JWTs are stateless and cannot be revoked unless additional security measures like token blacklisting or short expiration times are implemented.
198. Why should developers avoid using session tokens in GET requests?
A) Session tokens in URLs can be exposed in browser history, logs, and referrer headers
B) GET requests are faster than POST requests
C) Session tokens in GET requests are encrypted by default
D) GET requests improve session persistence
Answer: A) Session tokens in URLs can be exposed in browser history, logs, and referrer headers
Explanation: Storing session tokens in URLs increases exposure to security risks, such as logging and referrer leaks.
199. What is an effective mitigation for session hijacking in mobile applications?
A) Store session tokens in platform-specific secure storage (e.g., iOS Keychain, Android Keystore)
B) Store session tokens in browser local storage
C) Use long-lived session cookies
D) Allow session reuse across different devices
Answer: A) Store session tokens in platform-specific secure storage (e.g., iOS Keychain, Android Keystore)
Explanation: Platform-specific secure storage mechanisms help protect session tokens from malware and unauthorized access on mobile devices.
200. Why is implementing session revocation important in security-sensitive applications?
A) It allows compromised or inactive sessions to be invalidated immediately
B) It increases session expiration time
C) It allows users to log in from multiple locations without reauthentication
D) It prevents the need for HTTPS
Answer: A) It allows compromised or inactive sessions to be invalidated immediately
Explanation: Session revocation ensures that compromised sessions cannot be reused by attackers after detection.
201. What is the primary reason to avoid storing session data on the client side?
A) Client-side storage is vulnerable to XSS attacks, allowing attackers to steal session tokens
B) Client-side storage improves session persistence
C) Client-side storage increases authentication speed
D) Client-side storage reduces server load
Answer: A) Client-side storage is vulnerable to XSS attacks, allowing attackers to steal session tokens
Explanation: Session tokens stored on the client side (e.g., localStorage) can be accessed by malicious scripts, making them vulnerable to theft.
202. What is the benefit of implementing IP-based session tracking?
A) It helps detect and prevent session hijacking from different IP addresses
B) It speeds up authentication
C) It eliminates the need for session expiration
D) It allows session reuse across different networks
Answer: A) It helps detect and prevent session hijacking from different IP addresses
Explanation: Tracking IP changes in sessions helps detect potential session hijacking attempts and unauthorized access.
203. Why should session termination be forced on logout?
A) To prevent attackers from reusing a valid session token after logout
B) To improve page loading speed
C) To allow users to resume their session later
D) To reduce database storage
Answer: A) To prevent attackers from reusing a valid session token after logout
Explanation: Forcing session termination on logout ensures that session tokens cannot be reused by attackers.
204. What is the impact of a weak session timeout policy?
A) Attackers may have prolonged access to hijacked sessions
B) Users will frequently get logged out
C) Authentication will become slower
D) HTTPS will be disabled
Answer: A) Attackers may have prolonged access to hijacked sessions
Explanation: Weak session timeout policies allow hijacked sessions to remain active for longer periods, increasing security risks.
205. How does implementing multi-factor authentication (MFA) reduce the impact of session hijacking?
A) It requires an additional verification step, making it harder for attackers to use stolen sessions
B) It speeds up authentication
C) It removes the need for session expiration
D) It allows session tokens to be stored in local storage
Answer: A) It requires an additional verification step, making it harder for attackers to use stolen sessions
Explanation: MFA ensures that even if an attacker hijacks a session, they cannot gain full access without passing the additional authentication step.