Session Security Protection
The session ID is unique and random, with high entropy (>64bits), preventing attackers from guessing or predicting the ID. The meaning of the session ID is stored on the server side inside the session management repository, and cannot be decoded on the client side. The session ID is stored in a cookie with the attributes Secure and HttpOnly.
Secure prevents the cookie transfer over unencrypted connections and prevents the stealing of the session ID through XSS attacks.
The Domain attribute HttpOnly instructs the web browser to only send the cookie to the origin server. Additionally, HTTP Strict Transport Security (HSTS) is used. This means the browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS.