SC-23(4) — Unique Session Identifiers with Randomization

Session identifiers should be unique and generated with sufficient randomness to prevent guessing or brute-force attacks.

Example 1: Use session IDs of at least 128 bits generated from a cryptographically secure random number generator (CSPRNG). In Python Flask, use the default session implementation which uses os.urandom() for session tokens.

Example 2: Configure your load balancer or reverse proxy to regenerate session IDs after authentication (not just at session start). This prevents session fixation attacks where an attacker pre-sets a known session ID before the victim logs in.