Now, we'll talk about session persistence and timeouts. The longer the session ID is good, of course, the bigger the risk it poses for interception, sidejacking, guessing, and those sorts of problems. So we need to, at least, replace the session ID every so often. On the other hand, it's nice to have a persistent session. Having the session continue means that the server knows more about you than it would otherwise. If you've told it things about you, it can preserve that information and use it to give you a better experience. Now, if we have a session going or the server has a relationship going on with a client, there are a bunch of ways that you can cause that session to end. The server can time it out, the user can choose a logout function, and that would actually terminate things at the server end. Now, on the client end, it terminates a session by getting rid of a cookie. If the cookie isn't persistent, then the session disappears when the client's browser closes. With a persistent cookie, it ends when the cookie expires. Now, the timeout periods, they have to balance security and usability. How long do you want to go before you need to replace your session ID? How long do you need to go before you really need to re-authenticate? Then there's the notion of an idle time out. Let's say, how long do you want the session to be idle before you time it out and terminate it? There are a lot of different applications, and the whole point of this here is you should be able to fine-tune according to the type of security you're trying to achieve. If the site is, say a blog, it has one set of timeout expectations. If it's a banking site that's performing funds transfers, that's a completely different set of expectations or needs as far as timeout periods go. Now, if we have absolute and renewal timeouts to think of, absolute timeouts are essentially a point at which you force new authentication. Puts a time limit, if a session gets hijacked then that's the worse you're going to have of abuse of the session. Renewal time out essentially retains a session state but replaces the session ID. This is essentially like, "Oh, periodic password changes without the inconvenience." Because you don't actually log the person out, and log them back in, you simply say, "Okay, start using this session ID instead." Now, session renewal is an important thing to do periodically. In particular, it's good to do whenever we change the state or the privileges associated with a session. In particular, anonymous to authenticated, or from one user ID to another, or picking up different privileges or logging out. These are all really important times in which either you replace it or you shut down the session entirely. Now, the point of replacing the session ID, the principal danger, there tends to be the fixation attacks because if the attacker established the session ID, then they have more opportunities to abuse it.
