Session Hijacking: How Stolen Tokens Bypass Your Defenses