Session Management
Last updated
Last updated
This page contains recommendations for the implementation of session management.
There are two approaches to session management: Stateful and Stateless.
In the case of the Stateful approach, a session token is generated on the server side, saved to a database and passed to a client. The client uses this token to make requests to the server side. Therefore, the server-side stores the following bundle: account_id:session_id.
In the case of the Stateless approach, a session token is generated on the server side (or by a third-party service), signed using a private key (or secret key) and passed to a client. The client uses this token to make requests to the server side. Therefore, the server side needs to store a public key (or secret key) to validate the signature.
Use the base cookie format to store session IDs, see the Cookie Security page.
Do not store any sensitive data (tokens, credentials, PII, etc.) in a session ID.
Use the session management built into the framework you are using instead of implementing a homemade one from scratch.
Use up-to-date and well-known frameworks and libraries that implement session management.
Review and change the default configuration of the framework or library you are using to enhance its security.
Consider session IDs as untrusted data, as any other user input.
Implement an idle or inactivity timeout for every session.
Implement a mechanism to allow users to actively close a session (logout) after they have finished using an application.
Invalidate the session at least on the server side while closing a session.
Use different session IDs and token names for pre- and post-authentication flows.
Do not cache session IDs if caching application contents is allowed, see the Transport Layer Protection page.
Do not pass a session ID in an URL (path, query or fragment).
Renew or regenerate a session ID after any privilege level change within the associated user session (anonymous -> regular user, regular user -> admin user, etc.).
Handle and store session IDs according to the Session Management page.
Log successful and unsuccessful events related to a session lifecycle (such as creation, regeneration, revoke) including attempts to access resources with invalid session IDs, see the Logging and Monitoring page.
Use the ultimate cookie format to store session IDs, see the Cookie Security page.
If a framework is used, change the default session ID name to something neutral, for example, sessionid or id.
Implement an absolute timeout for every session regardless of session activity.
Provide users with the ability to manage active sessions (view and close active sessions).
Generate a session ID using a cryptographically strong generator, see the Cryptography: Random Generators page.
Use session IDs of length 16+ bytes.
Do not accept a session ID that has never been generated by an application. In case of receiving one, generate a new one for anonymous access and set it to a user.
Use JSON Web Tokens (JWT) to implement stateless session management, see the JSON Web Token (JWT) page.
Use the exp claim to implement a session timeout.
Use the following algorithm to implement the logout functionality:
Store the jti claim (unique token identifier) for each issued token.
If a user logged out from an application, move the jti to a list of blocked tokens.
Remove a token from the block list when a token expires (check the exp claim to determine if a token has expired).
