Session Timeout Analyzer
| Analyzer ID | Category | Severity | Time To Fix |
|---|---|---|---|
session-timeout | 🛡️ Security | Medium | 5 minutes |
What This Checks
This analyzer validates session timeout, cookie security, and lifetime configuration across your Laravel application:
- Session lifetime - Checks
config/session.phpforlifetimevalues exceeding 120 minutes (2 hours). Supports both direct values andenv()defaults - Expire on close - Recognizes
expire_on_close => trueas a mitigating factor; downgrades excessive lifetime issues to Low severity rather than suppressing them, as browser behavior varies - Remember me tokens - Checks
config/auth.phpfor custom remember token lifetime keys exceeding 30 days - Cookie secure flag - Flags
secure => false; High severity. Cookie sent over unencrypted HTTP in production - Cookie HttpOnly flag - Flags
http_only => false; Medium severity. JavaScript can read the session cookie (XSS risk) - Cookie SameSite attribute - Flags
same_site => 'none'withoutsecure => true(browser-rejected); High severity. Flagssame_site => 'none'alone (cross-origin exposure); Medium severity - Session driver - Flags
driver => 'cookie'(client-side session storage); Medium severity
Recommended limits:
| Context | Maximum Lifetime |
|---|---|
| General applications | 120 minutes (2 hours) |
| Sensitive/financial apps | 15 minutes |
| Admin panels | 30 minutes |
| Remember me tokens | 30 days |
Why It Matters
Excessively long session lifetimes increase the window for several attack vectors:
- Session hijacking - Longer sessions give attackers more time to steal or use a captured session ID
- Session fixation - Extended sessions increase exposure to fixation attacks
- Unattended device access - If a user leaves a device unlocked, long sessions allow unauthorized access
- Compliance violations - PCI-DSS, HIPAA, and similar standards require session timeout enforcement
- Stale authentication - Users who change passwords or have accounts disabled remain logged in
How to Fix
Quick Fix (2 minutes)
Update session lifetime in config/session.php:
Before (❌):
php
// config/session.php
return [
// 24 hours - excessively long
'lifetime' => env('SESSION_LIFETIME', 1440),
'expire_on_close' => false,
];After (✅):
php
// config/session.php
return [
// 2 hours - appropriate for general applications
'lifetime' => env('SESSION_LIFETIME', 120),
'expire_on_close' => false,
];Proper Fix (5 minutes)
Configure appropriate session lifetime and cookie security:
Session configuration:
php
// config/session.php
return [
// General app: 120 minutes, Sensitive app: 15 minutes
'lifetime' => env('SESSION_LIFETIME', 120),
'expire_on_close' => false,
// Cookie security
'secure' => env('SESSION_SECURE_COOKIE', true),
'http_only' => true,
'same_site' => 'lax',
];Environment-specific session lifetime:
ini
# .env (production - general app)
SESSION_LIFETIME=120
# .env (production - financial app)
SESSION_LIFETIME=15
# .env (local development)
SESSION_LIFETIME=480Sanctum and Passport token expiration
Sanctum and Passport token lifetimes are validated by their dedicated analyzers: Sanctum Security and Passport Security.
References
- Laravel Session Configuration
- OWASP Session Management
- OWASP Secure Cookie Attributes
- CWE-613: Insufficient Session Expiration
Related Analyzers
- Cookie Analyzer - Validates cookie security attributes (HttpOnly, Secure, SameSite)
- CSRF Protection Analyzer - Ensures CSRF protection is enabled
- Authentication Authorization Analyzer - Validates authentication and authorization configurations