Always regenerate a session ID (SID) when elevating privileges
Check for suspicious activity and immediately destroy any suspect session = If we have no username but somehow a session, its better to clean up session before login
When a user logs out, destroy their session explicitly on the server.
Number 1,2,9 from https://wblinks.com/notes/secure-session-management-tips/