4
edits
Changes
m
→Inactivity Time Out
The session tokens should be handled by the web server if possible or generated via a cryptographically secure random number generator.
===Inactivity Time Out===
Authenticated sessions should timeout after determined period of inactivity - 15 minutes is recommended.
===Secure Flag===
The "Secure" flag should be set during every set-cookie. This will instruct the browser to never send the cookie over HTTP. The purpose of this flag is to prevent the accidental exposure of a cookie value if a user follows an HTTP link.