18Haz
Besides checking whether the session ID is valid, what other things should we check in order to prevent session ID leakage? [duplicate]
If the SessionID is leaked/hacked by someone else and they use that SessionID to get access to the account, can we double-check whether the SessionID is used on the right device? I'm thinking of checking the device fingerprint and whether the IP address is in the trusted IPs list.
For example: A few days ago, a friend of mine logged in their Facebook account into Safari on my Mac, but as a Guest user. I tried to copy all the cookies, local storage, and session storage and paste it into a new Safari profile on my main account. Nevertheless, when I refreshed the page, it remained unauthorized. I think that's a prevention of SessionID/Token leakage.