30.04.2018 - You are making a session even if the login was invalid. same amount of work for every login attempt to prevent an attacker gathering information about valid You specifically asked about sql injection and session hijacking..