Authentication

Add Session Security with AI Prompts

February 2026

TL;DR

Session security prevents attackers from hijacking user sessions. Key measures include secure cookie settings, session ID regeneration, proper timeouts, and server-side session storage. These prompts help you implement defense-in-depth for your sessions.

Use this prompt to configure your session cookies with all the right security flags. Your AI will generate framework-specific cookie settings including HttpOnly, Secure, SameSite, and expiration configuration with instructions for verifying them in DevTools.

AI Prompt

Configure Secure Cookies

Configure my session cookies with proper security settings.

Framework: Next.js/Express/Django/Rails

Required cookie attributes:

  1. HttpOnly: true (prevents JavaScript access)
  2. Secure: true (HTTPS only)
  3. SameSite: 'Strict' or 'Lax'
  4. Path: '/' (or specific paths)
  5. Domain: only if needed for subdomains

Set appropriate expiration:

  • Session cookie: no Max-Age (browser session)
  • Persistent: Max-Age based on security needs

Show how to set these in my framework's session config. Also show how to verify settings in browser DevTools.

Session ID Management

Copy this prompt to generate session ID management code that prevents fixation attacks. You'll get cryptographically secure ID generation, automatic regeneration on login and privilege changes, and proper invalidation of old session IDs.

AI Prompt

Session Regeneration

Implement proper session ID management to prevent fixation attacks.

Requirements:

  1. Generate cryptographically random session IDs
  2. Regenerate session ID on authentication
  3. Regenerate on privilege escalation
  4. Invalidate old session ID completely
  5. Use sufficient entropy (128+ bits)

Implement regeneration on:

  • Successful login
  • Password change
  • Permission level change
  • Switching from HTTP to HTTPS

Show implementation for my session library. Include migration of session data to new ID.

Always regenerate session ID on login: Session fixation attacks trick users into using a known session ID. Regenerating after login makes any pre-set session ID useless.

Session Timeout Configuration

This prompt asks your AI to build session timeout handling with both absolute and idle timeouts. You'll get server-side timeout tracking, sliding window logic, re-authentication for sensitive operations, and user-facing grace period warnings.

AI Prompt

Implement Session Timeouts

Add proper session timeout handling.

Implement two types of timeout:

  1. Absolute timeout: 24 hours max session life
  2. Idle timeout: 30 minutes of inactivity

For sensitive operations:

  • Re-authenticate for password changes
  • Re-authenticate for payment actions
  • Short-lived elevated sessions (15 min)

Implementation needs:

  • Server-side timeout tracking
  • Sliding window for idle timeout
  • Grace period warning to user
  • Clean session termination
  • Audit log of timeout events

Don't rely only on cookie expiration - validate server-side.

Server-Side Session Storage

Use this prompt to migrate from client-side session storage to a Redis-backed server-side store. Your AI will generate the Redis setup, session cleanup jobs, per-user session listing, and the ability to revoke individual or all sessions.

AI Prompt

Secure Session Store

Move from client-side to server-side session storage.

Current: Session data in JWT/cookie Target: Server-side with Redis/database

Benefits of server-side:

  1. Can invalidate sessions immediately
  2. No size limits from cookie
  3. Sensitive data not exposed to client
  4. Can track active sessions per user

Implement:

  • Redis session store setup
  • Session cleanup job for expired sessions
  • List active sessions for user
  • Revoke specific sessions
  • Revoke all sessions (logout everywhere)

Store only session ID in cookie. Store session data in Redis with TTL matching timeout.

Pro tip: Bind sessions to additional factors like IP address or user agent fingerprint. Flag sessions for review if these change mid-session.

Should I use sessions or JWTs?

Sessions are better for traditional web apps because you can revoke them instantly. JWTs work better for stateless APIs and mobile apps where server-side storage is impractical.

How long should sessions last?

Depends on your security requirements. Banking apps might use 15-minute idle timeouts. Social apps might allow days. Always have an absolute maximum regardless of activity.

Further Reading

Want to understand the vulnerability before fixing it? These guides explain what's happening and why.

Related Articles

Secure Login Flow

Complete login security

Secure Logout

Proper session termination

Check Your Session Security

Scan your app for session management vulnerabilities.

AI Fix Prompts

Add Session Security with AI Prompts