Ethical Hacking Essentials Practice Test

Which protective measure can help prevent exposure of session IDs to attackers?

• A. Implement session timeout policies
• B. Reduce complexity of session IDs
• C. Store session IDs in plaintext
• D. Use static session IDs

The correct answer is: Implement session timeout policies

Implementing session timeout policies serves as a critical protective measure against the exposure of session IDs to attackers. Session timeout policies automatically terminate user sessions after a predefined period of inactivity. This significantly reduces the window of opportunity for an attacker to hijack a session, as any potential access is limited to the duration of activity. If the session expires, the attacker cannot use the old session ID to gain unauthorized access, as the session is no longer valid. Additionally, these timeout policies encourage users to log in again after periods of inactivity, enhancing security further by requiring fresh authentication. This practice is especially vital in environments where sensitive information is processed, as it helps ensure that session IDs do not linger longer than necessary, which could increase the risk of exposure. The other measures presented do not effectively mitigate the risks associated with session ID exposure. For instance, reducing complexity in session IDs may make them easier to guess, while storing them in plaintext increases vulnerability to interception. Moreover, using static session IDs can make them more susceptible to session hijacking, as attackers can exploit their predictability and permanence. Thus, the implementation of session timeout policies is crucial for enhancing security around session management.