The process of completing a session is mainly to check that the user of the application cannot be reused after the application user logs off. You should also check how the application manages the data stored in memory. To minimize the amount of time an attacker can attack an active session and take over it, set an expiration timeout for each session, specifying how long it will remain active. Establishing too long a session expiration time for a web application increases the risk of active session-based attacks. The shorter the session interval, the less time an attacker has to take over. Session expiration timeout values should be set according to the purpose and nature of the web application, as well as balancing security and usability so that the user can conveniently perform operations in the web application without losing the session frequently. Typical idle timeouts are 2-5 minutes for high-risk applications and 15-30 minutes for low-risk applications. The figure below shows the server response with the session cookie validity time of one year too long.
