Session management is the process of managing user sessions in a web application. A session is a series of interactions between users and a web application that take place over a period of time.
When sessions are well-managed, users can securely interact with the application and exchange sensitive information without having to frequently re-authenticate. The type of session management that organizations use depends on the sensitivity of the information being exchanged:
- Short-lived sessions last as long as the user interacts with the application. Sessions end when the user signs out of the application or when the session lifetime limit is reached.
- Long-lived sessions keep users signed on to the application even if they leave. These sessions store session IDs on user devices, which allows users to reopen an application and use it without needing to re-authenticate, and are most often used on mobile applications.
While long-lived sessions often provide users with a better experience, it can become a security risk if someone else obtains access to the device and the session is still active.
The challenge is finding the right balance between keeping application sessions safe and providing users with the best possible experience. If a session timeout is too short, it can frustrate users because they’ll be required to sign on again, but if it’s too long, sensitive information can be exposed that hackers can acquire. Failure to find this balance can either result in users abandoning their sessions and not returning to the application, or sessions being attacked, both of which can result in losing customers and revenue.
The specific challenges you might face depend on the type of application you’re protecting. For example, with workforce applications, because you understand who your users are and where they’re located, configuring application sessions might seem to be a simple task. However, when employees travel and occasionally work from different locations, session configuration becomes more complicated.
With retail applications, users are not always authenticated until purchases and other transactions occur, so it's even more difficult to determine if a returning user is the same person. You can use long-lived cookies with unique values that identify specific visits and returns, but many users don’t want to be tracked and remove the cookies. Additionally, because other users might reside in locations where cookies aren’t allowed, relying on persistent cookies is not always possible.
Fortunately, there are a wide variety of ways to configure retail and workforce application sessions to ensure that authentication occurs at the appropriate time and place, using methods deemed appropriate for the risk level detected.