Session Management

Session management covers everything that happens after a user proves who they are. The system issues a session token, often a cookie or a JSON Web Token, that the browser or app presents on each request so the user does not log in again for every action. Good session management decides how long that token is valid, when to refresh it, how to bind it to the device, and how to revoke it.

The security stakes are high. Weak handling leads to session hijacking, fixation, or tokens that outlive their welcome, any of which can become an account takeover. Short lifetimes, secure cookie flags, and clean revocation on logout are the basics.

For CIAM, session management determines the balance between not nagging customers to re-authenticate and not leaving a stolen session usable for too long.

Sources

• OWASP Session Management Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html