Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.
Training Camp • Cybersecurity Glossary
A control that automatically ends a user session after inactivity or a fixed lifetime, limiting the window for session hijacking on idle accounts.
Session Timeout Definition: A control that automatically ends a user session after inactivity or a fixed lifetime, limiting the window for session hijacking on idle accounts.
Session timeout is a security control that automatically terminates a user's authenticated session after a defined period of inactivity (idle timeout) or after a maximum total duration (absolute timeout). It reduces the risk that an unattended or stolen session can be abused, forcing re-authentication once the timer expires.
Mechanically, the server tracks the last activity time for each session identifier. An idle timeout invalidates the session if no request arrives within the configured window; an absolute timeout caps the total session lifetime regardless of activity, limiting how long a hijacked token remains useful. On expiry the server destroys the server-side session state and the associated cookie or token, so subsequent requests are rejected and the user must log in again. Best practice, per OWASP, sets shorter timeouts for high-value applications and ties logout to true server-side invalidation rather than just deleting the client cookie.
For security, session timeout limits the exposure window for session hijacking, fixation, and unauthorized access from unattended workstations. Without it, a session left open on a shared or public computer, or a token captured by an attacker, could remain valid indefinitely. It is a defense-in-depth complement to secure cookie flags, token binding, and re-authentication for sensitive actions, and is mandated by standards such as PCI DSS (which requires re-authentication after 15 minutes of inactivity).
For example, a bank employee logs into an internal admin console and steps away without locking the screen. With a 10-minute idle timeout, the session is automatically invalidated; anyone who later sits at the desk is presented with a login prompt instead of the active session. Even if an attacker had earlier stolen the session cookie, an absolute timeout ensures the token stops working after, say, eight hours, sharply limiting the value of the theft.
Turn knowledge into credentials with our instructor-led cybersecurity boot camps.
View All Courses →