Web application session management sounds pretty straightforward, right? Send creds, get a cookie, send the cookie on subsequent requests, and you’re in. While that may be true, it’s only half of the (horror) story. In this technical, example-driven talk, we’ll dive into session management issues in a manner friendly to both newbies and veterans alike. We’ll describe some of the more common web app session management issues, discover industry trends (“I don’t need no stinkin’ database!”), detail some of the new directions in session management security. I’ll wrap up the talk by demonstrating some ways in which web app sessions can be made more resilient to attacks.