How do I handle working with/updating sessions?
I have found a lot of information on creating sessions, but I am still a little confused about working with them.
For one, I am not sure how to handle updating the session on use. My understanding is that you will still have an absolute max lifespan, but it is OK to refresh the session on use? So if the user used the site regularly, the site would continue to work over many individual lifespans of the cookie/session? When this happens do I generate a new session, and invalidate the old one? Presumably I would I do this only when the session is old enough, so that I am not doing it every single site interaction?
I think ideally I would want something like:
Sessions last 10 days
When sessions are over ~4 days old, using them creates a new session with a new session id and the old one is invalidated.
Is this correct for a low security website?
Then if I need more security I assume I can just store the last time the user credentials were verified and if that was over 5~15 minutes ago, force the user to re-login to perform the action?
Finally. I am not sure how to handle absolute max lifetime when dealing with long lived sessions. All the simple implementations I can think of allow for the possibility of the session expiring on a legitimate user during use. I think a good method would probably use some sort of idle timer? Real users will not use the site every minute for a week straight, so we can say, have a absolute lifespan of 6 months. When a month is left on the absolute lifespan require a login if the session has been idle for longer than a 12 hours, if less than a week is left do the same for 15 minutes.
But if I am already tracking session use, should I then use it to detect potential bots? Something like, if a session is activated every hour for 24 hour, do I ask for credentials again?
