Protect the session ID tokens after a user authenticates.

• Generate new session IDs upon login
• Set Secure and HttpOnly flags on cookies
• Enforce absolute and idle session timeouts
• Invalidate sessions properly on the server upon logout