Session Introduction#

What Is The Session?#

A session is the total time devoted to an activity. In computer systems, a user session begins when a user logs in to or accesses a particular computer, network, or software service. It ends when the user logs out of the service, or shuts down the computer. A session can temporarily store information related to the activities of the user while connected. A session Cookie is used in web pages for storing information in case the user leaves the web page or closes down their Internet browser. For example, this is one way a website can remember what is in your shopping cart if you leave and come back.
In computer programming, session variables store temporary information, sometimes to use for retrieving and viewing data on multiple web pages. Websites requiring a username and password use session variables to help transfer data between web pages, but only while the user is logged in to the computer.

Session timeout represents the event occuring when a user does not perform any action on a web site during an interval (defined by a web server). The event, on the server side, changes the status of the user session to ‘invalid’ (ie. “not used anymore”) and instructs the web server to destroy it (deleting all data contained in it).
You can image that if you login on a website then you need to go out and forgot logout. Then when you go back to your website you will be required to login again. It means the your session has been timeout, because when you do nothing on the website the server side will calculate the time interval of the session and destroy it if it's timeout.

The Session timeout defines an action window time for a user, this window represents the time in which an attacker can try to steal and use a existing user session…
For this, it’s best practices to:
- Set session timeout to the minimal value possible depending on the context of the application.
- Avoid “infinite” session timeout.
- Prefer declarative definition of the session timeout in order to apply a global timeout for all application sessions.
- Trace session creation/destruction in order to analyse the creation trend and try to detect a normal number of session creations (application profiling phase in a attack).