Contents
Normally in ASP.Net the session cookies are set with a 20 minute timeout. That’s usually pretty good. Depending on your app, you may want a javascript timer as well. Otherwise the browser won’t understand when it’s logged out until a page refresh happens and sensitive data can be exposed.
How long should my session be?
Benchmark: What Is a Good Average Session Duration? According to our research, a reasonable benchmark for average session duration is between 2-3 minutes. A good average session duration, then, might be anything above three minutes.
Do browsers delete expired cookies?
A cookie with no expiration date specified will expire when the browser is closed. These are often called session cookies because they are removed after the browser session ends (when the browser is closed). Cookies with an expiration date in the past will be removed from the browser.
What does session length mean?
Session length is typically defined as the amount of time the app is in front of the user. There are exceptions: some apps (such as streaming audio apps) may also include time spent streaming in the background, and always-on apps (such as kiosks) may build timeouts into their session model.
Does Chrome delete expired cookies?
If a cookie has expired, the browser does not send that particular cookie to the server with the page request, and deletes it.
What do browsers do with expired cookies?
when a cookie expires, the browser do not send it to the server. Cookies must be deleted with the same parameters as they were set with.
Is there a limit to how long browser sessions can last?
Generic answer: ideally, the session should be exactly as short as possible, the limit being, indeed, the user’s annoyance. You make sessions because the user would not accept to reenter his password for every single page request.
How long does a session-only cookie last?
The above answer is also correct in that some newer browsers will recover session cookies after a crash/close. @Grinn, you do bring up a good point able the Ticket. When using ASP.Net Forms auth, an encrypted Ticket is placed within the session cookie.
When to use expires time in a browser?
If you do use an expires time you would generally want it to be at least as long as the server-side timeout, but you shouldn’t rely on the browser honouring that expires as your method of ensuring old sessions are unreachable. Generally, session-only (no- expires) cookies are used for session-tracking, with timeout happening on the server side.
Why is it important to keep browser sessions short?
A session is a deliberate, controlled weakening of your security model; you accept it because otherwise the site would be unusable. However, your interest, on the server, is to keep sessions short. Now, of course, this is a trade-off. User’s annoyance is not binary.