I found this blog on session management really useful: <a href="https://supertokens.com/blog/all-you-need-to-know-about-user-session-security" rel="nofollow">https://supertokens.com/blog/all-you-need-to-know-about-user...</a>
There is a solution to this....<p>Cookies should always be used in conjunction with a TLS Session ID.<p>If the session ID doesn't match, then throw away the cookies.<p>Session ID is designed to be hard to steal - in some clients, it actually uses keys from the TPM to derive the session ID - so even if someone steals the browser cookie jar, there is no way they can recreate the session ID.<p>Sadly today very few sites check the session ID
If you're using an ATM and just put in your card and entered your PIN, and then someone walks up with a knife, makes you leave, and withdraws $1000 from your bank account, was that a bypass of the ATM's 2FA?