How to handle session absolute lifetime during user activity?
I'm implementing a web login system and am confused about how to think about when authenticated sessions (not just browser sessions) should be expired.
There seem to be 2 factors:
- absolute lifetime of a session;
- idle time.
Idle time makes sense to me.
Having an absolute lifetime implies a session should be expired even if the user is actively using the site at the time. That would be a poor user experience; and also doesn't seem to be what happens in practice.
So how is absolute lifetime generally handled?
It seems to me one option could be to discard the current session and start a new session each time an authenticated user makes a request. Then the session lifetime and the idle time are effectively one and the same thing, and an active user won't be logged out while clicking around the site. But as far as I can tell the OWASP guides don't talk about this. Is it a sensible approach?
There also seems to be something called session "renewal" but I don't understand it – is it simply changing a session's identifier without affecting its expiration?
