also assume that the valid credentials have been stolen and are being used by a hacker.
make sure anything done in a session can be undone as part of sanitizing the user
also assume that the valid credentials have been stolen and are being used by a hacker.
make sure anything done in a session can be undone as part of sanitizing the user