Absolute session timeout

[joelharkes]

Laravel has a session lifetime. env key: SESSION_LIFETIME.

But most frameworks provide 2 different timeouts:

1. 1 for inactivity timeout, has user not been active for X time, stop the sesison
2. another an absolute timeout, even if user has been active, we do close the session after X time.

See also: https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Session_Management_Cheat_Sheet.md

Laravel does not know this absolute timeout.

Problem

If a session is hijacked a hacker can keep open the session forever, by sending a request to the server within the session lifetime window.
This is why it is best practise to also always setup an absolute timeout.

What would Laravel need?

storing an additional field: created_at of the session.
add the additional config variable to also setup.
then the logic:

• do not look or skip, sessions outside absolute window
• cleanup lottery should also clean sessions outside absolute timeout.

Question?

Do you think Laravel should implement this?