Skip to main content

Set a maximum lifetime in sessions


Application sessions should have a maximum lifetime, regardless of the user activity (absolute timeout).


  • CWE-613: Insufficient Session Expiration: Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.

  • NIST 800-53 AC-12: Session termination: The information system automatically terminates a user session after organization-defined conditions or trigger events requiring session disconnect.

  • OWASP-ASVS v4.0.1 V3.3 Session Logout and Timeout Requirements.(3.3.2): If authenticators permit users to remain logged in, verify that re-authentication occurs periodically both when actively used or after an idle period.

  • PCI DSS v3.0 - Requirement 12.3.8: Remote-access technologies are frequent "back doors" to critical resources and cardholder data. By disconnecting remote-access technologies when not in use (for example, those used to support your systems by your POS vendor, other vendors, or business partners), access and risk to networks is minimized.