session misconfiguration in the application may provide a means for an attacker to bypass the authentication and gain unauthorized access to sensitive information perhaps with elevated privileges.
Api Portal 3.5
TLS/SSL prevents this completely provided that the Apache has optimal configuration:
1. Navigate to etc/httpd/conf.d/ssl.conf and have below in place
SSLProtocol All -SSLv2 -SSLv3
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"