---
title: Secure sessions
description: Cookie hijacking is not the only danger to sessions. Consider the following non-exhaustive list of scenarios that can result in a compromised account:
component: pingam
version: 8.1
page_id: pingam:security:securing-sessions
canonical_url: https://docs.pingidentity.com/pingam/8.1/security/securing-sessions.html
keywords: ["Security", "Setup &amp; Configuration", "Sessions"]
page_aliases: ["security-guide:securing-sessions.adoc"]
---

# Secure sessions

Cookie hijacking is not the only danger to sessions. Consider the following non-exhaustive list of scenarios that can result in a compromised account:

* End users entering their data in a malicious website thinking it is the authentic one.

* End users leaving their computers unattended while their authenticated session is open.

* End users logging in from completely different locations or devices than usual.

The following table summarizes the tasks you should perform to keep sessions secure:

| Task                                                                                                                                                                                                                                                                    | Resources                                                                    |
| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------- |
| **Settings related to session termination**Understand session termination, and configure the authenticated session time-to-live and idle timeout.Making sure sessions expire within a reasonable time helps you protect your environment against impersonation attacks. | [Session termination](session-state-session-termination.html)                |
| **Lock accounts after failed login attempts**Configure account lockout to protect your environment against brute-force or dictionary attacks.                                                                                                                           | [Account lockout](account-lockout.html)                                      |
| **Limit the number of active authenticated sessions**Prevent users from logging in from more than two devices as a time, for example. This helps you mitigate against cases where user accounts have been compromised.                                                  | [Session quotas](session-quotas.html)                                        |
| **Protect client-side sessions**AM offers additional security measures to protect client-side sessions. They are more vulnerable to hijacking than server-side sessions because they contain all the session information in them.                                       | [Client-side session security](session-state-configure-cookie-security.html) |
| **Protect journey sessions**Configure journey session allowlisting to protect these sessions against replay attacks.                                                                                                                                                    | [Journey session allowlisting](auth-session-whitelist.html)                  |
| **Delete sessions when users change their passwords**When a user changes their password, existing authenticated sessions aren't deleted automatically. You should implement a mechanism to invalidate existing authenticated sessions on password reset.                | [Session invalidation](session-invalidation.html)                            |