Application testing cases - describe possible session management scenarios

Are session IDs displayed in the URL string? Are session IDs vulnerable to session fixation? Are session IDs predictable? Are session cookies exposed to unauthorized access? Are sessions not properly terminated after a timeout or after a user-initiated termination? Does the application lack a proper logout function?

Company who asked this question:

N/A

Specialty/subject tag:

Application Security

Information Security