I'm curious if there is a way to set a session timeout for web sessions. We were recently cited on this by our PCI consultants, who thought sessions should time out after at most 20 minutes of inactivity.
I briefly entertained using cookie expiration, but I judge that to be actually less secure than what we are currently doing (if you supply an expiration date to a cookie, that forces it to be physically saved to the disk of the browsing machine, whereas a cookie without one is only stored in memory, and is lost when the browsing session is terminated). But in any event, changing the cookie which stores the session ID doesn't cause the session ID itself to become invalid.
I've been unable to find any reference to a web session timeout in the documentation or the forums.
--Gawain
Hi Gwain,
I have looked for this before and have not found anything either. But you could use the lastaccess field from the session to determine when the session was last used and prevent it from being used if it is older than 20 minutes.
Jon