可以将文章内容翻译成中文,广告屏蔽插件可能会导致该功能失效(如失效，请关闭广告屏蔽插件后再试):

问题:

Do you consider session replication as a security risk? I mean if an attacker manages to hijack the session, he would still be able to use the same valid session, especially in scenarios where the session do not expire until one manually logs out. What recommendations would you give to prevent session replication?

回答1:

You could have a rolling Session ID - every so often (e.g. after a certain number of requests or a certain short time period), the system generates a new Session ID.

To prevent errors with race conditions due to one resource request causing a new Session ID to be generated, both the current and the previous Session IDs should be accepted during the rollover interval.

In essence, this will cause one of the valid sessions (either the attacker's or the victim's) to expire within their browser as they are using the old Session ID and have not received the cookie containing a new ID.

You should display a message saying something along the lines of You have been logged out as your account is used elsewhere. If this happens to be the attacker's machine, then great - you have prevented an attack. If this happens to be the victim's machine at the very least they are aware that their session has been compromised and can take steps to inform the site owners.

If you also combine this with invalidating all existing session for the account upon user login, the victim user logging in again will kick the attacker out and the attacker will need to reacquire a valid Session ID. This should reduce the attack window significantly allowing the system to remain secure while the Session ID leak is investigated and fixed.