In Miami, Florida, cybersecurity analyst Laura Bennett is responding to a series of unauthorized access...

The scenario clearly indicates session hijacking risk caused by interception of session IDs over unsecured connections. In CEH-aligned web security, when session tokens are transmitted without strong transport encryption, an attacker positioned on the same network path can sniff traffic and capture cookies or URL-based session IDs, then reuse them to impersonate the victim. The most effective control that directly addresses interception in transit across the entire portal is enforcing SSL/TLS for all session-related communications, meaning every page and request that could carry authentication state is protected by HTTPS. This prevents passive eavesdropping and significantly reduces the feasibility of man-in-the-middle capture of session identifiers during normal user interactions.

Option A, regenerating the session ID after login, is an important defense against session fixation, but it does not stop an attacker from stealing the new session token if it is later transmitted over plaintext HTTP. Option C, cache-control directives, helps prevent sensitive pages from being stored in shared caches or browser history, but it does not protect session IDs from network sniffing. Option D, avoiding sessions for unauthenticated users, can reduce some tracking exposure, yet the core issue here is hijacking of authenticated sessions due to unencrypted transport.

Therefore, implementing SSL/TLS across the portal, typically combined with secure cookie flags and strict HTTPS enforcement, is the correct countermeasure for the described interception-based session hijacking.