Skillset can help you prepare! Sign up for your free Skillset account and take the first steps towards your certification.
For session IDs the following practices are recommended
Not allowing users to choose their own session identifiers
Using cookies for storing session values.
All choices are true
Ensuring that each user gets a "clean" session identifier number with each visit and revisits to your site
Cookies are generally more difficult to modify than hidden fields or CGI parameters.
If an attacker discovers that session identifiers are being reused, he can gather a number of valid ones and have an immediate advantage in a session fixation attack.
Users should get a new session number each time they visit your site, because that makes the attacker's job of giving them a compromised ID irrelevant.
excerpt from Chapter 4 of "How to Break Web Software: Functional and Security Testing of Web Applications and Web Services," authors Mike Andrews and James A. Whittaker
Edit: Using cookies for storing session values:- Can someone please explain why this choice is correct?
Train with Skillset and pass your certification exam. Faster. Guaranteed.
Study thousands of practice questions that organized by skills and ranked by difficulty.
Create a tailored training plan based on the knowledge you already possess.
Know when you’re ready for the high-stakes exam. Have the confidence that you will pass on your first attempt.