- Begin to stop it being so logout happy for ordinary users who aren't doing anything particularly sensitive on the site by keeping track of when a user was last asked for credentials
- Don't continue to use the same session identifier once a user is logged in; it's likely been sent insecurely
- Mark session cookies as "SSL only" once logged in
- Automatically bump users from HTTP to HTTPS for all requests whilst they're logged in