Hmmm most of it is covered by going through OWASP's Authentication Cheatsheets.
In my mind: session invalidation, session locking to user agent or ip address. Really depends on how sensitive your user's data is and how ahead you are on the business side of things for you to really have time to focus on security deeply.
Hmmm most of it is covered by going through OWASP's Authentication Cheatsheets.
In my mind: session invalidation, session locking to user agent or ip address. Really depends on how sensitive your user's data is and how ahead you are on the business side of things for you to really have time to focus on security deeply.