diff --git a/config/openconext/parameters.yaml.dist b/config/openconext/parameters.yaml.dist
index 5705b9f8..f3d53eaf 100644
--- a/config/openconext/parameters.yaml.dist
+++ b/config/openconext/parameters.yaml.dist
@@ -41,6 +41,11 @@ parameters:
     # PCRE as accepted by preg_match (http://php.net/preg_match).
     mobile_app_user_agent_pattern: "/^.*$/"
 
+    # When logging authentication related messages, having a reference to the session id of the user
+    # makes auditing the logs much easier. We do not want to log the session_id for obvious reasons, that's why
+    # a salt is used to hash a part of the session id. Ensuring we do not disclose sensitive data in the logs.
+    session_correlation_salt: 'Mr6LpJYtuWRDdVR2_7VgTChFhzQ'
+
     # Options for the tiqr library
     tiqr_library_options:
         general:
diff --git a/config/packages/framework.yaml b/config/packages/framework.yaml
index 16aae45d..6bf555e3 100644
--- a/config/packages/framework.yaml
+++ b/config/packages/framework.yaml
@@ -14,8 +14,9 @@ framework:
     # Remove or comment this section to explicitly disable session support.
     session:
         handler_id: null
-        cookie_secure: auto
-        cookie_samesite: none
+        name: sess_tiqr
+        cookie_httponly: true
+        cookie_secure: true
     router:
         strict_requirements: null
         utf8: true
diff --git a/config/services.yaml b/config/services.yaml
index d1b7ac86..ffcdc91c 100644
--- a/config/services.yaml
+++ b/config/services.yaml
@@ -19,6 +19,8 @@ services:
             $locales: '%locales%'
             $tiqrConfiguration: '%tiqr_library_options%'
             $appSecret: '%app_secret%'
+            $sessionOptions: '%session.storage.options%'
+            $sessionCorrelationSalt: '%session_correlation_salt%'
 
     # makes classes in src/ available to be used as services
     # this creates a service per class whose id is the fully-qualified class name
diff --git a/src/Attribute/RequiresActiveSession.php b/src/Attribute/RequiresActiveSession.php
new file mode 100644
index 00000000..98d87bfb
--- /dev/null
+++ b/src/Attribute/RequiresActiveSession.php
@@ -0,0 +1,28 @@
+<?php
+
+/**
+ * Copyright 2024 SURFnet B.V.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+declare(strict_types = 1);
+
+namespace Surfnet\Tiqr\Attribute;
+
+use Attribute;
+
+#[Attribute(Attribute::TARGET_CLASS | Attribute::TARGET_METHOD)]
+class RequiresActiveSession
+{
+}
diff --git a/src/Controller/AuthenticationNotificationController.php b/src/Controller/AuthenticationNotificationController.php
index 554c61c0..f0f0568d 100644
--- a/src/Controller/AuthenticationNotificationController.php
+++ b/src/Controller/AuthenticationNotificationController.php
@@ -25,6 +25,7 @@
 use Psr\Log\LoggerInterface;
 use Surfnet\GsspBundle\Service\AuthenticationService;
 use Surfnet\GsspBundle\Service\StateHandlerInterface;
+use Surfnet\Tiqr\Attribute\RequiresActiveSession;
 use Surfnet\Tiqr\Tiqr\Exception\UserNotExistsException;
 use Surfnet\Tiqr\Tiqr\TiqrServiceInterface;
 use Surfnet\Tiqr\Tiqr\TiqrUserRepositoryInterface;
@@ -52,6 +53,7 @@ public function __construct(
      * @throws InvalidArgumentException
      */
     #[Route(path: '/authentication/notification', name: 'app_identity_authentication_notification', methods: ['POST'])]
+    #[RequiresActiveSession]
     public function __invoke(): Response
     {
         $nameId = $this->authenticationService->getNameId();
diff --git a/src/Controller/AuthenticationQrController.php b/src/Controller/AuthenticationQrController.php
index ed3bd456..b7260e03 100644
--- a/src/Controller/AuthenticationQrController.php
+++ b/src/Controller/AuthenticationQrController.php
@@ -24,6 +24,7 @@
 use Psr\Log\LoggerInterface;
 use Surfnet\GsspBundle\Service\AuthenticationService;
 use Surfnet\GsspBundle\Service\StateHandlerInterface;
+use Surfnet\Tiqr\Attribute\RequiresActiveSession;
 use Surfnet\Tiqr\Tiqr\TiqrServiceInterface;
 use Surfnet\Tiqr\WithContextLogger;
 use Symfony\Component\HttpFoundation\Response;
@@ -44,6 +45,7 @@ public function __construct(
      * @throws InvalidArgumentException
      */
     #[Route(path: '/authentication/qr', name: 'app_identity_authentication_qr', methods: ['GET'])]
+    #[RequiresActiveSession]
     public function __invoke(): Response
     {
         $nameId = $this->authenticationService->getNameId();
diff --git a/src/Controller/AuthenticationStatusController.php b/src/Controller/AuthenticationStatusController.php
index ce5e71c3..5a130c9c 100644
--- a/src/Controller/AuthenticationStatusController.php
+++ b/src/Controller/AuthenticationStatusController.php
@@ -25,6 +25,7 @@
 use Psr\Log\LoggerInterface;
 use Surfnet\GsspBundle\Service\AuthenticationService;
 use Surfnet\GsspBundle\Service\StateHandlerInterface;
+use Surfnet\Tiqr\Attribute\RequiresActiveSession;
 use Surfnet\Tiqr\Tiqr\TiqrServiceInterface;
 use Surfnet\Tiqr\WithContextLogger;
 use Symfony\Component\HttpFoundation\JsonResponse;
@@ -44,6 +45,7 @@ public function __construct(
      * @throws InvalidArgumentException
      */
     #[Route(path: '/authentication/status', name: 'app_identity_authentication_status', methods: ['GET'])]
+    #[RequiresActiveSession]
     public function __invoke(): JsonResponse
     {
         try {
@@ -57,7 +59,6 @@ public function __invoke(): JsonResponse
                 return $this->refreshAuthenticationPage();
             }
 
-
             $isAuthenticated = $this->tiqrService->isAuthenticated();
 
             if ($isAuthenticated) {
diff --git a/src/Controller/RegistrationController.php b/src/Controller/RegistrationController.php
index 5ba1c942..67f0a3ba 100644
--- a/src/Controller/RegistrationController.php
+++ b/src/Controller/RegistrationController.php
@@ -23,6 +23,7 @@
 use Psr\Log\LoggerInterface;
 use Surfnet\GsspBundle\Service\RegistrationService;
 use Surfnet\GsspBundle\Service\StateHandlerInterface;
+use Surfnet\Tiqr\Attribute\RequiresActiveSession;
 use Surfnet\Tiqr\Exception\NoActiveAuthenrequestException;
 use Surfnet\Tiqr\Tiqr\Legacy\TiqrService;
 use Surfnet\Tiqr\Tiqr\TiqrServiceInterface;
@@ -90,9 +91,8 @@ public function registration(Request $request): Response
      *
      *
      * @throws \InvalidArgumentException
-     *
-     * Requires session cookie to be set to a valid session.
      */
+    #[RequiresActiveSession]
     #[Route(path: '/registration/status', name: 'app_identity_registration_status', methods: ['GET'])]
     public function registrationStatus() : Response
     {
@@ -123,6 +123,7 @@ public function registrationStatus() : Response
      *
      * @throws \InvalidArgumentException
      */
+    #[RequiresActiveSession]
     #[Route(path: '/registration/qr/{enrollmentKey}', name: 'app_identity_registration_qr', methods: ['GET'])]
     public function registrationQr(Request $request, string $enrollmentKey): Response
     {
diff --git a/src/EventSubscriber/RequiresActiveSessionAttributeListener.php b/src/EventSubscriber/RequiresActiveSessionAttributeListener.php
new file mode 100644
index 00000000..beb7a5a3
--- /dev/null
+++ b/src/EventSubscriber/RequiresActiveSessionAttributeListener.php
@@ -0,0 +1,93 @@
+<?php
+
+/**
+ * Copyright 2024 SURFnet B.V.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+declare(strict_types = 1);
+
+namespace Surfnet\Tiqr\EventSubscriber;
+
+use Psr\Log\LoggerInterface;
+use RuntimeException;
+use Surfnet\Tiqr\Attribute\RequiresActiveSession;
+use Surfnet\Tiqr\Service\SessionCorrelationIdService;
+use Surfnet\Tiqr\WithContextLogger;
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+use Symfony\Component\HttpFoundation\Exception\SessionNotFoundException;
+use Symfony\Component\HttpKernel\Event\ControllerArgumentsEvent;
+use Symfony\Component\HttpKernel\KernelEvents;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
+use function is_array;
+
+/**
+ * This listener acts when the given route has a #[RequiresActiveSession] attribute.
+ * When a route is marked as to have a required active session this listener will deny access when there is none.
+ */
+final readonly class RequiresActiveSessionAttributeListener implements EventSubscriberInterface
+{
+    private string $sessionName;
+
+    public function __construct(
+        private LoggerInterface             $logger,
+        private SessionCorrelationIdService $sessionCorrelationIdService,
+        private array $sessionOptions,
+    ) {
+        if (!array_key_exists('name', $this->sessionOptions)) {
+            throw new RuntimeException(
+                'The session name (PHP session cookie identifier) could not be found in the session configuration.'
+            );
+        }
+        $this->sessionName = $this->sessionOptions['name'];
+    }
+
+    public function onKernelControllerArguments(ControllerArgumentsEvent $event): void
+    {
+        if (!is_array($event->getAttributes()[RequiresActiveSession::class] ?? null)) {
+            return;
+        }
+
+        $logger = WithContextLogger::from($this->logger, [
+            'correlationId' => $this->sessionCorrelationIdService->generateCorrelationId() ?? '',
+            'route' => $event->getRequest()->getRequestUri(),
+        ]);
+
+        try {
+            $sessionId = $event->getRequest()->getSession()->getId();
+            $sessionCookieId = $event->getRequest()->cookies->get($this->sessionName);
+
+            if (!$sessionCookieId) {
+                $logger->error('Route requires active session. Active session wasn\'t found. No session cookie was set.');
+
+                throw new AccessDeniedException();
+            }
+
+            if ($sessionId !== $sessionCookieId) {
+                $logger->error('Route requires active session. Session does not match session cookie.');
+
+                throw new AccessDeniedException();
+            }
+        } catch (SessionNotFoundException) {
+            $logger->error('Route requires active session. Active session wasn\'t found.');
+
+            throw new AccessDeniedException();
+        }
+    }
+
+    public static function getSubscribedEvents(): array
+    {
+        return [KernelEvents::CONTROLLER_ARGUMENTS => ['onKernelControllerArguments', 20]];
+    }
+}
diff --git a/src/EventSubscriber/SessionStateListener.php b/src/EventSubscriber/SessionStateListener.php
new file mode 100644
index 00000000..a03a774b
--- /dev/null
+++ b/src/EventSubscriber/SessionStateListener.php
@@ -0,0 +1,87 @@
+<?php
+
+/**
+ * Copyright 2024 SURFnet B.V.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+declare(strict_types = 1);
+
+namespace Surfnet\Tiqr\EventSubscriber;
+
+use Psr\Log\LoggerInterface;
+use RuntimeException;
+use Surfnet\Tiqr\Service\SessionCorrelationIdService;
+use Surfnet\Tiqr\WithContextLogger;
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+use Symfony\Component\HttpFoundation\Exception\SessionNotFoundException;
+use Symfony\Component\HttpKernel\Event\RequestEvent;
+use Symfony\Component\HttpKernel\KernelEvents;
+
+/**
+ * Listen to all incoming requests and log the session state information.
+ */
+final readonly class SessionStateListener implements EventSubscriberInterface
+{
+    private string $sessionName;
+
+    public function __construct(
+        private LoggerInterface $logger,
+        private SessionCorrelationIdService $sessionCorrelationIdService,
+        private array $sessionOptions,
+    ) {
+        if (!array_key_exists('name', $this->sessionOptions)) {
+            throw new RuntimeException(
+                'The session name (PHP session cookie identifier) could not be found in the session configuration.'
+            );
+        }
+        $this->sessionName = $this->sessionOptions['name'];
+    }
+
+    public function onKernelRequest(RequestEvent $event): void
+    {
+        $logger = WithContextLogger::from($this->logger, [
+            'correlationId' => $this->sessionCorrelationIdService->generateCorrelationId() ?? '',
+            'route' => $event->getRequest()->getRequestUri(),
+        ]);
+
+        $sessionCookieId = $event->getRequest()->cookies->get($this->sessionName);
+        if ($sessionCookieId === null) {
+            $logger->info('User made a request without a session cookie.');
+            return;
+        }
+
+        $logger->info('User made a request with a session cookie.');
+
+        try {
+            $sessionId = $event->getRequest()->getSession()->getId();
+            $logger->info('User has a session.');
+
+            if ($sessionId !== $sessionCookieId) {
+                $logger->error('The session cookie does not match the session id.');
+                return;
+            }
+        } catch (SessionNotFoundException) {
+            $logger->info('Session not found.');
+            return;
+        }
+
+        $logger->info('User session matches the session cookie.');
+    }
+
+    public static function getSubscribedEvents(): array
+    {
+        return [KernelEvents::REQUEST => ['onKernelRequest', 20]];
+    }
+}
diff --git a/src/Service/SessionCorrelationIdService.php b/src/Service/SessionCorrelationIdService.php
new file mode 100644
index 00000000..76e72698
--- /dev/null
+++ b/src/Service/SessionCorrelationIdService.php
@@ -0,0 +1,57 @@
+<?php
+
+/**
+ * Copyright 2024 SURFnet B.V.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+declare(strict_types = 1);
+
+namespace Surfnet\Tiqr\Service;
+
+use RuntimeException;
+use Symfony\Component\HttpFoundation\RequestStack;
+
+final readonly class SessionCorrelationIdService
+{
+    private string $sessionName;
+
+    public function __construct(
+        private RequestStack $requestStack,
+        private array $sessionOptions,
+        private string $sessionCorrelationSalt,
+    ) {
+        if (!array_key_exists('name', $this->sessionOptions)) {
+            throw new RuntimeException(
+                'The session name (PHP session cookie identifier) could not be found in the session configuration.'
+            );
+        }
+        if (empty($this->sessionCorrelationSalt)) {
+            throw new RuntimeException('Please configure a non empty session correlation salt.');
+        }
+
+        $this->sessionName = $this->sessionOptions['name'];
+    }
+
+    public function generateCorrelationId(): ?string
+    {
+        $sessionCookie = $this->requestStack->getMainRequest()?->cookies->get($this->sessionName);
+
+        if ($sessionCookie === null) {
+            return null;
+        }
+
+        return hash('sha256', $this->sessionCorrelationSalt . substr($sessionCookie, 0, 10));
+    }
+}
diff --git a/src/Session/LoggingSessionFactory.php b/src/Session/LoggingSessionFactory.php
new file mode 100644
index 00000000..8491197f
--- /dev/null
+++ b/src/Session/LoggingSessionFactory.php
@@ -0,0 +1,70 @@
+<?php
+
+declare(strict_types = 1);
+
+/**
+ * Copyright 2024 SURFnet B.V.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+namespace Surfnet\Tiqr\Session;
+
+use Psr\Log\LoggerInterface;
+use Surfnet\Tiqr\Service\SessionCorrelationIdService;
+use Surfnet\Tiqr\WithContextLogger;
+use Symfony\Component\DependencyInjection\Attribute\AsDecorator;
+use Symfony\Component\DependencyInjection\Attribute\Autowire;
+use Symfony\Component\HttpFoundation\RequestStack;
+use Symfony\Component\HttpFoundation\Session\SessionFactory;
+use Symfony\Component\HttpFoundation\Session\SessionInterface;
+use Symfony\Component\HttpFoundation\Session\Storage\SessionStorageFactoryInterface;
+
+/**
+ * This class serves as a decorated version of Symfony's SessionFactory class.
+ * Every time a session is created, we'll add a log entry that can be identified by the correlation id.
+ *
+ * For this logging function to work we need a stateless logger, therefore we inject the default logger by using the variable name $monoLogger.
+ * The variable name $logger has been bound to the Surfnet GSSP logger in the Symfony container, so we'll need to use another variable name.
+ * The Surfnet GSSP Logger isn't stateless as it's dependent on the current session, which has not been created when the logging occurs.
+ *
+ * @see SessionFactory::createSession()
+ */
+#[AsDecorator('session.factory')]
+final class LoggingSessionFactory extends SessionFactory
+{
+    private LoggerInterface $logger;
+
+    public function __construct(
+        RequestStack                   $requestStack,
+        #[Autowire(service: 'session.storage.factory')]
+        SessionStorageFactoryInterface $storageFactory,
+        LoggerInterface                $monologLogger,
+        SessionCorrelationIdService    $sessionCorrelationIdService,
+        ?callable                      $usageReporter = null,
+    ) {
+        $this->logger = WithContextLogger::from(
+            $monologLogger,
+            ['correlationId' => $sessionCorrelationIdService->generateCorrelationId() ?? ''],
+        );
+
+        parent::__construct($requestStack, $storageFactory, $usageReporter);
+    }
+
+    public function createSession(): SessionInterface
+    {
+        $this->logger->info('Created new session.');
+
+        return parent::createSession();
+    }
+}
diff --git a/tests/Unit/EventSubscriber/RequiresActiveSessionAttributeListenerTest.php b/tests/Unit/EventSubscriber/RequiresActiveSessionAttributeListenerTest.php
new file mode 100644
index 00000000..0f310f0b
--- /dev/null
+++ b/tests/Unit/EventSubscriber/RequiresActiveSessionAttributeListenerTest.php
@@ -0,0 +1,227 @@
+<?php
+/**
+ * Copyright 2024 SURFnet B.V.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+namespace Unit\EventSubscriber;
+
+use Mockery;
+use Psr\Log\LoggerInterface;
+use Psr\Log\LogLevel;
+use Surfnet\Tiqr\Attribute\RequiresActiveSession;
+use Surfnet\Tiqr\EventSubscriber\RequiresActiveSessionAttributeListener;
+use Surfnet\Tiqr\Service\SessionCorrelationIdService;
+use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
+use Symfony\Component\EventDispatcher\EventDispatcher;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\RequestStack;
+use Symfony\Component\HttpFoundation\Session\Session;
+use Symfony\Component\HttpFoundation\Session\Storage\MockArraySessionStorage;
+use Symfony\Component\HttpKernel\Event\ControllerArgumentsEvent;
+use Symfony\Component\HttpKernel\Event\ControllerEvent;
+use Symfony\Component\HttpKernel\HttpKernelInterface;
+use Symfony\Component\HttpKernel\KernelEvents;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
+
+final class RequiresActiveSessionAttributeListenerTest extends KernelTestCase
+{
+    private const SESSION_ID = 'session-id';
+
+    public function testControllersWithoutTheRequiresActiveSessionAttributeAreIgnored(): void
+    {
+        $this->expectNotToPerformAssertions();
+
+        self::bootKernel();
+
+        $request = new Request(server: ['REQUEST_URI' => '/route']);
+
+        $requestStack = new RequestStack();
+        $requestStack->push($request);
+
+        $stubControllerFactory = fn() => new class extends AbstractController {
+        };
+
+        $event = new ControllerArgumentsEvent(
+            self::$kernel,
+            $stubControllerFactory,
+            [], $request,
+            HttpKernelInterface::MAIN_REQUEST
+        );
+
+        $dispatcher = new EventDispatcher();
+
+        $mockLogger = Mockery::mock(LoggerInterface::class);
+        $mockLogger->shouldNotReceive('log');
+
+        $listener = new RequiresActiveSessionAttributeListener($mockLogger, new SessionCorrelationIdService($requestStack));
+
+        $dispatcher->addListener(KernelEvents::REQUEST, [$listener, 'onKernelControllerArguments']);
+        $dispatcher->dispatch($event, KernelEvents::REQUEST);
+    }
+
+    public function testItDeniesAccessWhenThereIsNoActiveSession(): void
+    {
+        $this->expectException(AccessDeniedException::class);
+        $this->expectExceptionMessage('Access Denied.');
+
+        self::bootKernel();
+
+        $request = new Request(server: ['REQUEST_URI' => '/route']);
+
+        $requestStack = new RequestStack();
+        $requestStack->push($request);
+
+        $stubControllerFactory = fn() => new class extends AbstractController {
+        };
+
+        $requestType = HttpKernelInterface::MAIN_REQUEST;
+        $controllerEvent = new ControllerEvent(self::$kernel, $stubControllerFactory, $request, $requestType);
+        $controllerEvent->setController($stubControllerFactory, [RequiresActiveSession::class => [null]]);
+        $event = new ControllerArgumentsEvent(self::$kernel, $controllerEvent, [], $request, $requestType);
+
+        $dispatcher = new EventDispatcher();
+
+        $mockLogger = Mockery::mock(LoggerInterface::class);
+        $mockLogger->shouldReceive('log')
+            ->once()
+            ->with(
+                LogLevel::ERROR,
+                'Route requires active session. Active session wasn\'t found.',
+                ['correlationId' => '', 'route' => '/route']
+            );
+
+        $listener = new RequiresActiveSessionAttributeListener($mockLogger, new SessionCorrelationIdService($requestStack));
+
+        $dispatcher->addListener(KernelEvents::REQUEST, [$listener, 'onKernelControllerArguments']);
+        $dispatcher->dispatch($event, KernelEvents::REQUEST);
+    }
+
+    public function testItDeniesAccessWhenThereIsNoSessionCookie(): void
+    {
+        $this->expectException(AccessDeniedException::class);
+        $this->expectExceptionMessage('Access Denied.');
+
+        self::bootKernel();
+
+        $session = new Session(new MockArraySessionStorage());
+        $session->setId(self::SESSION_ID);
+
+        $request = new Request(server: ['REQUEST_URI' => '/route']);
+        $request->setSession($session);
+
+        $requestStack = new RequestStack();
+        $requestStack->push($request);
+
+        $stubControllerFactory = fn() => new class extends AbstractController {
+        };
+
+        $requestType = HttpKernelInterface::MAIN_REQUEST;
+        $controllerEvent = new ControllerEvent(self::$kernel, $stubControllerFactory, $request, $requestType);
+        $controllerEvent->setController($stubControllerFactory, [RequiresActiveSession::class => [null]]);
+        $event = new ControllerArgumentsEvent(self::$kernel, $controllerEvent, [], $request, $requestType);
+
+        $dispatcher = new EventDispatcher();
+
+        $mockLogger = Mockery::mock(LoggerInterface::class);
+        $mockLogger->shouldReceive('log')
+            ->once()
+            ->with(
+                LogLevel::ERROR,
+                'Route requires active session. Active session wasn\'t found. No session cookie was set.',
+                ['correlationId' => '', 'route' => '/route']
+            );
+
+        $listener = new RequiresActiveSessionAttributeListener($mockLogger, new SessionCorrelationIdService($requestStack));
+
+        $dispatcher->addListener(KernelEvents::REQUEST, [$listener, 'onKernelControllerArguments']);
+        $dispatcher->dispatch($event, KernelEvents::REQUEST);
+    }
+
+    public function testItDeniesAccessWhenTheActiveSessionDoesNotMatchTheSessionCookie(): void
+    {
+        $this->expectException(AccessDeniedException::class);
+        $this->expectExceptionMessage('Access Denied.');
+
+        self::bootKernel();
+
+        $session = new Session(new MockArraySessionStorage());
+        $session->setId('erroneous-session-id');
+
+        $request = new Request(server: ['REQUEST_URI' => '/route'], cookies: ['PHPSESSID' => self::SESSION_ID]);
+        $request->setSession($session);
+
+        $requestStack = new RequestStack();
+        $requestStack->push($request);
+
+        $stubControllerFactory = fn() => new class extends AbstractController {
+        };
+
+        $requestType = HttpKernelInterface::MAIN_REQUEST;
+        $controllerEvent = new ControllerEvent(self::$kernel, $stubControllerFactory, $request, $requestType);
+        $controllerEvent->setController($stubControllerFactory, [RequiresActiveSession::class => [null]]);
+        $event = new ControllerArgumentsEvent(self::$kernel, $controllerEvent, [], $request, $requestType);
+
+        $dispatcher = new EventDispatcher();
+
+        $mockLogger = Mockery::mock(LoggerInterface::class);
+        $mockLogger->shouldReceive('log')
+            ->once()
+            ->with(
+                LogLevel::ERROR,
+                'Route requires active session. Session does not match session cookie.',
+                ['correlationId' => 'f6e7cfb6f0861f577c48f171e27542236b1184f7a599dde82aca1640d86da961', 'route' => '/route']
+            );
+
+        $listener = new RequiresActiveSessionAttributeListener($mockLogger, new SessionCorrelationIdService($requestStack));
+
+        $dispatcher->addListener(KernelEvents::REQUEST, [$listener, 'onKernelControllerArguments']);
+        $dispatcher->dispatch($event, KernelEvents::REQUEST);
+    }
+
+    public function testItDoesNotThrowWhenTheActiveSessionMatchesTheSessionCookie(): void
+    {
+        $this->expectNotToPerformAssertions();
+
+        self::bootKernel();
+
+        $session = new Session(new MockArraySessionStorage());
+        $session->setId(self::SESSION_ID);
+
+        $request = new Request(server: ['REQUEST_URI' => '/route'], cookies: ['PHPSESSID' => self::SESSION_ID]);
+        $request->setSession($session);
+
+        $requestStack = new RequestStack();
+        $requestStack->push($request);
+
+        $stubControllerFactory = fn() => new class extends AbstractController {
+        };
+
+        $requestType = HttpKernelInterface::MAIN_REQUEST;
+        $controllerEvent = new ControllerEvent(self::$kernel, $stubControllerFactory, $request, $requestType);
+        $controllerEvent->setController($stubControllerFactory, [RequiresActiveSession::class => [null]]);
+        $event = new ControllerArgumentsEvent(self::$kernel, $controllerEvent, [], $request, $requestType);
+
+        $dispatcher = new EventDispatcher();
+
+        $mockLogger = Mockery::mock(LoggerInterface::class);
+        $mockLogger->shouldNotReceive('log');
+
+        $listener = new RequiresActiveSessionAttributeListener($mockLogger, new SessionCorrelationIdService($requestStack));
+
+        $dispatcher->addListener(KernelEvents::REQUEST, [$listener, 'onKernelControllerArguments']);
+        $dispatcher->dispatch($event, KernelEvents::REQUEST);
+    }
+}
diff --git a/tests/Unit/EventSubscriber/SessionStateListenerTest.php b/tests/Unit/EventSubscriber/SessionStateListenerTest.php
new file mode 100644
index 00000000..580bddbc
--- /dev/null
+++ b/tests/Unit/EventSubscriber/SessionStateListenerTest.php
@@ -0,0 +1,166 @@
+<?php
+/**
+ * Copyright 2024 SURFnet B.V.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+namespace Unit\EventSubscriber;
+
+use Mockery;
+use Psr\Log\LoggerInterface;
+use Psr\Log\LogLevel;
+use Surfnet\Tiqr\EventSubscriber\SessionStateListener;
+use Surfnet\Tiqr\Service\SessionCorrelationIdService;
+use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
+use Symfony\Component\EventDispatcher\EventDispatcher;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\RequestStack;
+use Symfony\Component\HttpFoundation\Session\Session;
+use Symfony\Component\HttpFoundation\Session\Storage\MockArraySessionStorage;
+use Symfony\Component\HttpKernel\Event\RequestEvent;
+use Symfony\Component\HttpKernel\HttpKernelInterface;
+use Symfony\Component\HttpKernel\KernelEvents;
+
+final class SessionStateListenerTest extends KernelTestCase
+{
+    private const SESSION_ID = 'session-id';
+
+    public function testItLogsWhenUserHasNoSessionCookie(): void
+    {
+        $this->expectNotToPerformAssertions();
+
+        self::bootKernel();
+
+        $request = new Request(server: ['REQUEST_URI' => '/route']);
+
+        $requestStack = new RequestStack();
+        $requestStack->push($request);
+
+        $event = new RequestEvent(self::$kernel, $request, HttpKernelInterface::MAIN_REQUEST);
+
+        $dispatcher = new EventDispatcher();
+
+        $mockLogger = Mockery::mock(LoggerInterface::class);
+        $mockLogger->shouldReceive('log')
+            ->once()
+            ->with(LogLevel::INFO, 'User made a request without a session cookie.', ['correlationId' => '', 'route' => '/route']);
+
+        $listener = new SessionStateListener($mockLogger, new SessionCorrelationIdService($requestStack));
+
+        $dispatcher->addListener(KernelEvents::REQUEST, [$listener, 'onKernelRequest']);
+        $dispatcher->dispatch($event, KernelEvents::REQUEST);
+    }
+
+    public function testItLogsWhenUserHasNoSession(): void
+    {
+        $this->expectNotToPerformAssertions();
+
+        self::bootKernel();
+
+        $request = new Request(server: ['REQUEST_URI' => '/route'], cookies: ['PHPSESSID' => self::SESSION_ID]);
+
+        $requestStack = new RequestStack();
+        $requestStack->push($request);
+
+        $event = new RequestEvent(self::$kernel, $request, HttpKernelInterface::MAIN_REQUEST);
+
+        $dispatcher = new EventDispatcher();
+
+        $mockLogger = Mockery::mock(LoggerInterface::class);
+        $mockLogger->shouldReceive('log')
+            ->once()
+            ->with(LogLevel::INFO, 'User made a request with a session cookie.', ['correlationId' => 'f6e7cfb6f0861f577c48f171e27542236b1184f7a599dde82aca1640d86da961', 'route' => '/route']);
+        $mockLogger->shouldReceive('log')
+            ->once()
+            ->with(LogLevel::INFO, 'Session not found.', ['correlationId' => 'f6e7cfb6f0861f577c48f171e27542236b1184f7a599dde82aca1640d86da961', 'route' => '/route']);
+
+        $listener = new SessionStateListener($mockLogger, new SessionCorrelationIdService($requestStack));
+
+        $dispatcher->addListener(KernelEvents::REQUEST, [$listener, 'onKernelRequest']);
+        $dispatcher->dispatch($event, KernelEvents::REQUEST);
+    }
+
+    public function testItLogsAnErrorWhenTheSessionIdDoesNotMatchTheSessionCookie(): void
+    {
+        $this->expectNotToPerformAssertions();
+
+        self::bootKernel();
+
+        $session = new Session(new MockArraySessionStorage());
+        $session->setId('erroneous-session-id');
+
+        $request = new Request(server: ['REQUEST_URI' => '/route'], cookies: ['PHPSESSID' => self::SESSION_ID]);
+        $request->setSession($session);
+
+        $requestStack = new RequestStack();
+        $requestStack->push($request);
+
+        $event = new RequestEvent(self::$kernel, $request, HttpKernelInterface::MAIN_REQUEST);
+
+        $dispatcher = new EventDispatcher();
+
+        $mockLogger = Mockery::mock(LoggerInterface::class);
+        $mockLogger->shouldReceive('log')
+            ->once()
+            ->with(LogLevel::INFO, 'User made a request with a session cookie.', ['correlationId' => 'f6e7cfb6f0861f577c48f171e27542236b1184f7a599dde82aca1640d86da961', 'route' => '/route']);
+        $mockLogger->shouldReceive('log')
+            ->once()
+            ->with(LogLevel::INFO, 'User has a session.', ['correlationId' => 'f6e7cfb6f0861f577c48f171e27542236b1184f7a599dde82aca1640d86da961', 'route' => '/route']);
+        $mockLogger->shouldReceive('log')
+            ->once()
+            ->with(LogLevel::ERROR, 'The session cookie does not match the session id.', ['correlationId' => 'f6e7cfb6f0861f577c48f171e27542236b1184f7a599dde82aca1640d86da961', 'route' => '/route']);
+
+        $listener = new SessionStateListener($mockLogger, new SessionCorrelationIdService($requestStack));
+
+        $dispatcher->addListener(KernelEvents::REQUEST, [$listener, 'onKernelRequest']);
+        $dispatcher->dispatch($event, KernelEvents::REQUEST);
+    }
+
+    public function testTheUserSessionMatchesTheSessionCookie(): void
+    {
+        $this->expectNotToPerformAssertions();
+
+        self::bootKernel();
+
+        $session = new Session(new MockArraySessionStorage());
+        $session->setId(self::SESSION_ID);
+
+        $request = new Request(server: ['REQUEST_URI' => '/route'], cookies: ['PHPSESSID' => self::SESSION_ID]);
+        $request->setSession($session);
+
+        $requestStack = new RequestStack();
+        $requestStack->push($request);
+
+
+        $event = new RequestEvent(self::$kernel, $request, HttpKernelInterface::MAIN_REQUEST);
+
+        $dispatcher = new EventDispatcher();
+
+        $mockLogger = Mockery::mock(LoggerInterface::class);
+        $mockLogger->shouldReceive('log')
+            ->once()
+            ->with(LogLevel::INFO, 'User made a request with a session cookie.', ['correlationId' => 'f6e7cfb6f0861f577c48f171e27542236b1184f7a599dde82aca1640d86da961', 'route' => '/route']);
+        $mockLogger->shouldReceive('log')
+            ->once()
+            ->with(LogLevel::INFO, 'User has a session.', ['correlationId' => 'f6e7cfb6f0861f577c48f171e27542236b1184f7a599dde82aca1640d86da961', 'route' => '/route']);
+        $mockLogger->shouldReceive('log')
+            ->once()
+            ->with(LogLevel::INFO, 'User session matches the session cookie.', ['correlationId' => 'f6e7cfb6f0861f577c48f171e27542236b1184f7a599dde82aca1640d86da961', 'route' => '/route']);
+
+        $listener = new SessionStateListener($mockLogger, new SessionCorrelationIdService($requestStack));
+
+        $dispatcher->addListener(KernelEvents::REQUEST, [$listener, 'onKernelRequest']);
+        $dispatcher->dispatch($event, KernelEvents::REQUEST);
+    }
+}
diff --git a/tests/Unit/Service/SessionCorrelationIdServiceTest.php b/tests/Unit/Service/SessionCorrelationIdServiceTest.php
new file mode 100644
index 00000000..8ff8c178
--- /dev/null
+++ b/tests/Unit/Service/SessionCorrelationIdServiceTest.php
@@ -0,0 +1,48 @@
+<?php
+/**
+ * Copyright 2024 SURFnet B.V.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+namespace Unit\Service;
+
+use PHPUnit\Framework\TestCase;
+use Surfnet\Tiqr\Service\SessionCorrelationIdService;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\RequestStack;
+
+final class SessionCorrelationIdServiceTest extends TestCase
+{
+    public function testItHasNoCorrelationIdWhenThereIsNoSessionCookie(): void
+    {
+        $request = new Request();
+        $requestStack = new RequestStack();
+        $requestStack->push($request);
+
+        $service = new SessionCorrelationIdService($requestStack);
+
+        $this->assertNull($service->generateCorrelationId());
+    }
+
+    public function testItGeneratesACorrelationIdBasedOnTheSessionCookie(): void
+    {
+        $request = new Request(cookies: ['PHPSESSID' => 'session-id']);
+        $requestStack = new RequestStack();
+        $requestStack->push($request);
+
+        $service = new SessionCorrelationIdService($requestStack);
+
+        $this->assertSame('f6e7cfb6f0861f577c48f171e27542236b1184f7a599dde82aca1640d86da961', $service->generateCorrelationId());
+    }
+}
diff --git a/tests/Unit/Session/LoggingSessionFactoryTest.php b/tests/Unit/Session/LoggingSessionFactoryTest.php
new file mode 100644
index 00000000..43d625f5
--- /dev/null
+++ b/tests/Unit/Session/LoggingSessionFactoryTest.php
@@ -0,0 +1,53 @@
+<?php
+/**
+ * Copyright 2024 SURFnet B.V.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+namespace Unit\Session;
+
+use Mockery;
+use Psr\Log\LoggerInterface;
+use Psr\Log\LogLevel;
+use Surfnet\Tiqr\Service\SessionCorrelationIdService;
+use Surfnet\Tiqr\Session\LoggingSessionFactory;
+use PHPUnit\Framework\TestCase;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\RequestStack;
+use Symfony\Component\HttpFoundation\Session\SessionInterface;
+use Symfony\Component\HttpFoundation\Session\Storage\SessionStorageFactoryInterface;
+
+final class LoggingSessionFactoryTest extends TestCase
+{
+    public function testItLogsWheneverASessionIsCreated(): void
+    {
+        $request = new Request(cookies: ['PHPSESSID' => 'session-id']);
+        $requestStack = new RequestStack();
+        $requestStack->push($request);
+
+        $mockLogger = Mockery::mock(LoggerInterface::class);
+        $mockLogger->shouldReceive('log')
+            ->once()
+            ->with(LogLevel::INFO, 'Created new session.', ['correlationId' => 'f6e7cfb6f0861f577c48f171e27542236b1184f7a599dde82aca1640d86da961']);
+
+        $sessionFactory = new LoggingSessionFactory(
+            $requestStack,
+            $this->createStub(SessionStorageFactoryInterface::class),
+            $mockLogger,
+            new SessionCorrelationIdService($requestStack),
+        );
+
+        $this->assertInstanceOf(SessionInterface::class, $sessionFactory->createSession());
+    }
+}