LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What is the difference between an idle timeout and an absolute timeout on a session?

Idle = expires after a period of inactivity. Absolute = expires N units after the session was created, regardless of activity.

Both are required — they address different threats.

Idle timeout Absolute timeout
Trigger No requests for X minutes Session age exceeds X hours / days
Protects against Unattended sessions (logged in on a shared computer, walked away) Long-lived stolen credentials, replay of an old captured cookie
Typical web app 15–30 min 12–24 h
Typical banking 5–10 min 8 h (one working day)
High-risk system 2–5 min 1–2 h

On expiry: both kill the session server-side and force re-authentication.

The guiding principle (in German):

  • "Eine Session sollte immer nur eine bestimmte Lebensdauer haben." (Sessions must have a defined lifetime.)
  • "Je kürzer die Session-Lebensdauer, desto kleiner das Zeitfenster für einen potenziellen Session-basierten Angriff." (Shorter lifetime = smaller attack window.)

Logout still matters: even with timeouts, a user-initiated logout must immediately invalidate the session server-side. Don't rely on the timeout to clean up.

Tip: The trade-off is UX vs. blast radius. The right values depend on Schutzbedarf (protection need): a webmail might be 30 min idle / 24 h absolute, a private-banking session 5 min / 1 h. Pick based on what an attacker can do with one stolen session.

From Quiz: ISF / Session Handling & Login Protocols | Updated: Jul 14, 2026