service-manual checked
OWASP Session Management Cheat Sheet
Documents idle and absolute session timeout guidance, risk-based timeout durations, renewal behavior, and session expiration considerations for authenticated web applications.
Pattern Decisions This Source Supports
| Pattern | Supported decision | Required contract | Claim note |
|---|---|---|---|
| Session timeout | Choose session timeout when the authenticated session has already expired or been terminated and the next valid path is sign-in, reauthentication, restart, or safe task restoration. | The timeout state is driven by server or identity-provider session validity, not by a cosmetic client-only overlay. | Supports session expiration, automatic logout after idle timeout, and avoiding silent expiry that loses work. |
| Session timeout warning | Choose session timeout warning when the session is approaching an inactivity, absolute, device-lock, or reauthentication boundary that can interrupt authenticated work. | The warning is driven by the authoritative session or identity state, not only a local countdown. | OWASP documents idle and absolute session timeout guidance. |
Evidence Role
This source is treated as service-manual evidence. Use it to validate the decision rules above, not as a visual style reference.
Publisher: OWASP Foundation. Last checked: .