What is the difference between an idle timeout and an absolute timeout on a session?
Idle = expires after a period of inactivity. Absolute = expires N units after the session was created, regardless of activity.
Both are required — they address different threats.
| Idle timeout | Absolute timeout | |
|---|---|---|
| Trigger | No requests for X minutes | Session age exceeds X hours / days |
| Protects against | Unattended sessions (logged in on a shared computer, walked away) | Long-lived stolen credentials, replay of an old captured cookie |
| Typical web app | 15–30 min | 12–24 h |
| Typical banking | 5–10 min | 8 h (one working day) |
| High-risk system | 2–5 min | 1–2 h |
On expiry: both kill the session server-side and force re-authentication.
The guiding principle (in German):
- "Eine Session sollte immer nur eine bestimmte Lebensdauer haben." (Sessions must have a defined lifetime.)
- "Je kürzer die Session-Lebensdauer, desto kleiner das Zeitfenster für einen potenziellen Session-basierten Angriff." (Shorter lifetime = smaller attack window.)
Logout still matters: even with timeouts, a user-initiated logout must immediately invalidate the session server-side. Don't rely on the timeout to clean up.
Tip: The trade-off is UX vs. blast radius. The right values depend on Schutzbedarf (protection need): a webmail might be 30 min idle / 24 h absolute, a private-banking session 5 min / 1 h. Pick based on what an attacker can do with one stolen session.