Web applications handle user session management in a variety of ways and levels of security. The most common technique uses a session token such as a Cookie, HTTP Header, HTML form input element, or URL parameter. If this token is created and manipulated in an insecure manner, then the application is vulnerable to identity theft attacks, user impersonation, privilege escalation, and authentication bypass. Unlike SQL injection or Cross-Site Scripting, which rely on syntax attacks, a session attack is not affected by validation filters or application-level firewalls. Consequently, it is necessary to understand how secure tokens are created, encoded, and encrypted to prevent unauthorized manipulation and minimize the impact of a stolen value. Real-life examples are included, along with secure coding countermeasures to protect session tokens from prediction and manipulation attacks.