Secure Session Management in Web Applications
Session management is the mechanism that maintains a user's authenticated state across multiple requests. Flaws in session management are among the most impactful vulnerabilities — a compromised session token gives an attacker complete access as the victim user.
Session Token Best Practices
- Sufficient entropy: Session tokens must be cryptographically random — at least 128 bits of entropy. Never use predictable values like user IDs or timestamps.
- Secure transmission: Session tokens must only be transmitted over HTTPS. Set the Secure flag on session cookies.
- HttpOnly flag: Session cookies should have HttpOnly set, preventing JavaScript access and mitigating XSS-based session theft
- SameSite attribute: Set SameSite=Strict or Lax to prevent CSRF attacks using session cookies
- Reasonable expiry: Sessions should expire after inactivity (typically 15–30 minutes for sensitive applications, up to 24 hours for low-risk)
- Absolute timeout: Sessions should have an absolute maximum lifetime regardless of activity
Session Lifecycle
- Regenerate after authentication: Issue a new session token immediately after login — prevents session fixation attacks
- Invalidate on logout: Server-side session invalidation, not just client-side cookie deletion
- Concurrent session control: For sensitive applications, limit simultaneous sessions per user
JWT Considerations
JWTs used as session tokens require careful handling: use short expiry with refresh token rotation, use RS256 or ES256 (not HS256 with a weak secret), validate all claims server-side, and implement token revocation for critical events (logout, password change, account lock).