█
LastWrite
  • > Curriculum
  • > Pricing
  • > For Educators
  • > About
  • > Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
LastWrite

Structured computer science lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 LastWrite. All rights reserved.
Curriculum/Cybersecurity/Application Security/Authentication and Session Security in Applications
45 minIntermediate

Authentication and Session Security in Applications

After this lesson, you will be able to: Inspect and modify HTTP requests with BurpSuite, and identify common cookie and session security issues.

Sessions are how a website 'remembers' you across requests. Almost every account-takeover bug begins with a session weakness. BurpSuite is the universal tool for inspecting and editing HTTP traffic, every web pen tester uses it.

Prerequisites:Input Validation and Injection Attacks

How sessions work

When you log in, the server creates a session and gives you a session ID, usually in a cookie. Every later request includes that cookie, and the server uses it to look up 'who is this and what can they do?'. If an attacker steals the session ID, they're you, no password needed.

Cookie security flags

HttpOnly. JavaScript can't read it (prevents XSS-based theft). Secure, only sent over HTTPS (prevents network sniffing). SameSite=Lax/Strict, cookie isn't sent on cross-site requests (prevents CSRF). Domain and Path, limit cookie scope. Missing any of these on a session cookie is a vulnerability.

session cookie
HttpOnlytrue✓
Securetrue✓
SameSiteLax✓
These three flags block the most common session-cookie attacks: HttpOnly stops JS theft, Secure forces HTTPS, SameSite blunts CSRF.

Try it: inspect with BurpSuite Community

BurpSuite is free for non-commercial use. Set up the proxy to view traffic.

  1. 1

    Download BurpSuite Community Edition

  2. 2

    Launch and start the embedded browser

  3. 3

    Navigate to a site you have permission to test (TryHackMe target, your own dev app)

  4. 4

    Go to the Proxy tab → HTTP history

  5. 5

    Find a request with a session cookie

  6. 6

    Forward to Repeater and modify the cookie to see how the server reacts

💡 Don't proxy your real bank

BurpSuite intercepts all traffic. Use it only against systems you control or have explicit written permission to test. Pointing it at a third-party site you don't own is a violation of computer-fraud laws.

Common session bugs

Predictable session IDs (sequential numbers, try the next one). Session fixation (attacker sets the victim's session ID before they log in). Missing logout invalidation (server doesn't actually delete the session). Long-lived tokens with no rotation (one stolen cookie = forever-access). All of these have caused real account-takeover incidents.

Quick Check

Why does HttpOnly matter?

Pick the cleanest answer.

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←Input Validation and Injection Attacks
Back to Application Security
Secure Coding Practices→