Also, this is a PDF version which will not support all of the wonderful animations in the PowerPoint. If you would like those animations, send me an email. I'm happy to share, but putting out the raw PowerPoint carries some minor OpSec issues so I'm avoiding that.
Meristem has also published a series of articles diving deeper into session defenses which can be found on this blog or through these direct links.
Part 1 - Overview
Part 2 - Network Sniffing
Part 3 - Token Exposure
Part 4 - JavaScript Injection (XSS)
Part 5 - Blind Session Abuse
Part 6 - Post-compromise Use
Bonus 1 - JWTs: Only Slightly Worse
Bonus 2 - Device Bound Session Tokens
Errata
See a mistake? Disagree with something?