Invalidating the cache
The session ID must simply be an identifier on the client side, and its value must never include sensitive information (or PII).The meaning and business or application logic associated to the session ID must be stored on the server side, and specifically, in session objects or in a session management database or repository.
The session management implementation defines the exchange mechanism that will be used between the user and the web application to share and continuously exchange the session ID.
The session ID must be unpredictable (random enough) to prevent guessing attacks, where an attacker is able to guess or predict the ID of a valid session through statistical analysis techniques.
For this purpose, a good PRNG (Pseudo Random Number Generator) must be used.
The session ID must be long enough to prevent brute force attacks, where an attacker can go through the whole range of ID values and verify the existence of valid sessions.
The session ID length must be at least 128 bits (16 bytes).