Which of the following is NOT a recommended practice for secure session management?

Storing sensitive data in sessions is not a recommended practice for secure session management. Sensitive data should be stored securely on the server, and only a reference (such as a session ID) should be stored in the session. Storing sensitive data in sessions can expose it to potential session data leakage.