Merge pull request #278527 from anthonychu/patch-25

[Container Apps] Add warning for session identifiers

Author: prmerger-automator[bot]

articles/container-apps/sessions.md

@@ -75,6 +75,20 @@ You pass the session identifier in a query parameter named `identifier` in the U
 
 For code interpreter sessions, you can also use an integration with an [LLM framework](./sessions-code-interpreter.md#llm-framework-integrations). The framework handles the token generation and management for you. Ensure that the application is configured with a managed identity that has the necessary role assignments on the session pool.
 
+##### Protecting session identifiers
+
+The session identifier is sensitive information which requires a secure process as you create and manage its value. To protect this value, your application must ensure each user or tenant only has access to their own sessions.
+
+The specific strategies that prevent misuse of session identifiers differ depending on the design and architecture of your app. However, your app must always have complete control over the creation and use of session identifiers so that a malicious user can't access another user's session.
+
+Example strategies include:
+
+* **One session per user**: If your app uses one session per user, each user must be securely authenticated, and your app must use a unique session identifier for each logged in user.
+* **One session per agent conversation**: If your app uses one session per AI agent conversation, ensure your app uses a unique session identifier for each conversation that can't be modified by the end user.
+
+> [!IMPORTANT]
+> Failure to secure access to sessions may result in misuse or unauthorized access to data stored in your users' sessions.
+
 ### Authentication
 
 Authentication is handled using Microsoft Entra (formerly Azure Active Directory) tokens. Valid Microsoft Entra tokens are generated by an identity belonging to the *Azure ContainerApps Session Executor* and *Contributor* roles on the session pool.