Session management-related vulnerabilities are part of the OWASP Top 10 2017. They are covered under A2:2017 Broken Authentication. Some of the vulnerabilities listed under this category are as follows:
- Application generating session ID that is not unique, random, complex, and is easily guessable
- Application exposing session identifiers in part of the URL or audit log file
- Application vulnerable to replay attack
- Application vulnerable to Cross-Site Request Forgery attack