Section
2.1.8
Top Level
Sub Level
General
Protect the Session ID as much as possible. Don't support URL rewriting and don't log Session IDs. Use SSL all the time if possible and, if you are not using SSL entirely, invalidate and issue new session IDs on each SSL/Non-SSL transition. If you are always using SSL, set the "secure" flag on the session cookie to ensure it is only sent over SSL.
Django
Django's default session application will not issue new session IDs on SSL/non-SSL transitions.
Java
In J2EE, investigate all usages of HttpSession.getId(); to ensure that the session ID is never leaked. Except in special circumstance, this method should never be used.