Session Management
What is Session Management?
Session ManagementThe set of controls that issue, maintain, refresh, and revoke an authenticated session, binding a user's identity to subsequent requests until logout or expiration.
After authentication, a server issues a session — typically represented by a server-side identifier stored in a cookie, or by a signed token such as a JWT — that the client returns on each request. Good session management generates high-entropy identifiers, transmits them only over TLS, sets the Secure, HttpOnly, and SameSite cookie flags, rotates identifiers after login, enforces idle and absolute timeouts, and provides reliable server-side revocation on logout, password change, or device removal. Weaknesses lead directly to session hijacking, session fixation, replay, and broken authentication. Modern applications often combine short-lived access tokens with refresh tokens, continuous risk evaluation (CAEP), and binding tokens to the device (DPoP, mTLS).
● Examples
- 01
An OIDC application using short-lived access tokens and a refresh-token rotation strategy.
- 02
A banking site rotating the session cookie immediately after login to prevent session fixation.
● Frequently asked questions
What is Session Management?
The set of controls that issue, maintain, refresh, and revoke an authenticated session, binding a user's identity to subsequent requests until logout or expiration. It belongs to the Identity & Access category of cybersecurity.
What does Session Management mean?
The set of controls that issue, maintain, refresh, and revoke an authenticated session, binding a user's identity to subsequent requests until logout or expiration.
How do you defend against Session Management?
Defences for Session Management typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Session Management?
Common alternative names include: Session handling, Web session management.