[{"data":1,"prerenderedAt":365},["ShallowReactive",2],{"blog-prompts/add-session-security":3},{"id":4,"title":5,"body":6,"category":344,"date":345,"dateModified":346,"description":347,"draft":348,"extension":349,"faq":350,"featured":348,"headerVariant":351,"image":350,"keywords":350,"meta":352,"navigation":353,"ogDescription":354,"ogTitle":350,"path":355,"readTime":350,"schemaOrg":356,"schemaType":357,"seo":358,"sitemap":359,"stem":360,"tags":361,"twitterCard":363,"__hash__":364},"blog/blog/prompts/add-session-security.md","Add Session Security with AI Prompts",{"type":7,"value":8,"toc":334},"minimark",[9,16,21,24,75,79,82,128,138,142,145,199,203,206,255,264,280,284,287,308,322],[10,11,12],"tldr",{},[13,14,15],"p",{},"Session security prevents attackers from hijacking user sessions. Key measures include secure cookie settings, session ID regeneration, proper timeouts, and server-side session storage. These prompts help you implement defense-in-depth for your sessions.",[17,18,20],"h2",{"id":19},"secure-cookie-configuration","Secure Cookie Configuration",[13,22,23],{},"Use this prompt to configure your session cookies with all the right security flags. Your AI will generate framework-specific cookie settings including HttpOnly, Secure, SameSite, and expiration configuration with instructions for verifying them in DevTools.",[25,26,28,31,38,41,60,63,72],"prompt-box",{"title":27},"Configure Secure Cookies",[13,29,30],{},"Configure my session cookies with proper security settings.",[13,32,33,34],{},"Framework: ",[35,36,37],"span",{},"Next.js/Express/Django/Rails",[13,39,40],{},"Required cookie attributes:",[42,43,44,48,51,54,57],"ol",{},[45,46,47],"li",{},"HttpOnly: true (prevents JavaScript access)",[45,49,50],{},"Secure: true (HTTPS only)",[45,52,53],{},"SameSite: 'Strict' or 'Lax'",[45,55,56],{},"Path: '/' (or specific paths)",[45,58,59],{},"Domain: only if needed for subdomains",[13,61,62],{},"Set appropriate expiration:",[64,65,66,69],"ul",{},[45,67,68],{},"Session cookie: no Max-Age (browser session)",[45,70,71],{},"Persistent: Max-Age based on security needs",[13,73,74],{},"Show how to set these in my framework's session config.\nAlso show how to verify settings in browser DevTools.",[17,76,78],{"id":77},"session-id-management","Session ID Management",[13,80,81],{},"Copy this prompt to generate session ID management code that prevents fixation attacks. You'll get cryptographically secure ID generation, automatic regeneration on login and privilege changes, and proper invalidation of old session IDs.",[25,83,85,88,91,108,111,125],{"title":84},"Session Regeneration",[13,86,87],{},"Implement proper session ID management to prevent fixation attacks.",[13,89,90],{},"Requirements:",[42,92,93,96,99,102,105],{},[45,94,95],{},"Generate cryptographically random session IDs",[45,97,98],{},"Regenerate session ID on authentication",[45,100,101],{},"Regenerate on privilege escalation",[45,103,104],{},"Invalidate old session ID completely",[45,106,107],{},"Use sufficient entropy (128+ bits)",[13,109,110],{},"Implement regeneration on:",[64,112,113,116,119,122],{},[45,114,115],{},"Successful login",[45,117,118],{},"Password change",[45,120,121],{},"Permission level change",[45,123,124],{},"Switching from HTTP to HTTPS",[13,126,127],{},"Show implementation for my session library.\nInclude migration of session data to new ID.",[129,130,131],"warning-box",{},[13,132,133,137],{},[134,135,136],"strong",{},"Always regenerate session ID on login:"," Session fixation attacks trick users into using a known session ID. Regenerating after login makes any pre-set session ID useless.",[17,139,141],{"id":140},"session-timeout-configuration","Session Timeout Configuration",[13,143,144],{},"This prompt asks your AI to build session timeout handling with both absolute and idle timeouts. You'll get server-side timeout tracking, sliding window logic, re-authentication for sensitive operations, and user-facing grace period warnings.",[25,146,148,151,154,162,165,176,179,196],{"title":147},"Implement Session Timeouts",[13,149,150],{},"Add proper session timeout handling.",[13,152,153],{},"Implement two types of timeout:",[42,155,156,159],{},[45,157,158],{},"Absolute timeout: 24 hours max session life",[45,160,161],{},"Idle timeout: 30 minutes of inactivity",[13,163,164],{},"For sensitive operations:",[64,166,167,170,173],{},[45,168,169],{},"Re-authenticate for password changes",[45,171,172],{},"Re-authenticate for payment actions",[45,174,175],{},"Short-lived elevated sessions (15 min)",[13,177,178],{},"Implementation needs:",[64,180,181,184,187,190,193],{},[45,182,183],{},"Server-side timeout tracking",[45,185,186],{},"Sliding window for idle timeout",[45,188,189],{},"Grace period warning to user",[45,191,192],{},"Clean session termination",[45,194,195],{},"Audit log of timeout events",[13,197,198],{},"Don't rely only on cookie expiration - validate server-side.",[17,200,202],{"id":201},"server-side-session-storage","Server-Side Session Storage",[13,204,205],{},"Use this prompt to migrate from client-side session storage to a Redis-backed server-side store. Your AI will generate the Redis setup, session cleanup jobs, per-user session listing, and the ability to revoke individual or all sessions.",[25,207,209,212,215,218,232,235,252],{"title":208},"Secure Session Store",[13,210,211],{},"Move from client-side to server-side session storage.",[13,213,214],{},"Current: Session data in JWT/cookie\nTarget: Server-side with Redis/database",[13,216,217],{},"Benefits of server-side:",[42,219,220,223,226,229],{},[45,221,222],{},"Can invalidate sessions immediately",[45,224,225],{},"No size limits from cookie",[45,227,228],{},"Sensitive data not exposed to client",[45,230,231],{},"Can track active sessions per user",[13,233,234],{},"Implement:",[64,236,237,240,243,246,249],{},[45,238,239],{},"Redis session store setup",[45,241,242],{},"Session cleanup job for expired sessions",[45,244,245],{},"List active sessions for user",[45,247,248],{},"Revoke specific sessions",[45,250,251],{},"Revoke all sessions (logout everywhere)",[13,253,254],{},"Store only session ID in cookie.\nStore session data in Redis with TTL matching timeout.",[256,257,258],"tip-box",{},[13,259,260,263],{},[134,261,262],{},"Pro tip:"," Bind sessions to additional factors like IP address or user agent fingerprint. Flag sessions for review if these change mid-session.",[265,266,267,274],"faq-section",{},[268,269,271],"faq-item",{"question":270},"Should I use sessions or JWTs?",[13,272,273],{},"Sessions are better for traditional web apps because you can revoke them instantly. JWTs work better for stateless APIs and mobile apps where server-side storage is impractical.",[268,275,277],{"question":276},"How long should sessions last?",[13,278,279],{},"Depends on your security requirements. Banking apps might use 15-minute idle timeouts. Social apps might allow days. Always have an absolute maximum regardless of activity.",[17,281,283],{"id":282},"further-reading","Further Reading",[13,285,286],{},"Want to understand the vulnerability before fixing it? These guides explain what's happening and why.",[64,288,289,296,302],{},[45,290,291],{},[292,293,295],"a",{"href":294},"/blog/vulnerabilities/exposed-api-keys","Understanding exposed API keys",[45,297,298],{},[292,299,301],{"href":300},"/blog/how-to/hide-api-keys","How to hide API keys step-by-step",[45,303,304],{},[292,305,307],{"href":306},"/blog/best-practices/secrets","Secret management best practices",[309,310,311,317],"related-articles",{},[312,313],"related-card",{"description":314,"href":315,"title":316},"Complete login security","/blog/prompts/secure-login-flow","Secure Login Flow",[312,318],{"description":319,"href":320,"title":321},"Proper session termination","/blog/prompts/secure-logout","Secure Logout",[323,324,327,331],"cta-box",{"href":325,"label":326},"/","Start Free Scan",[17,328,330],{"id":329},"check-your-session-security","Check Your Session Security",[13,332,333],{},"Scan your app for session management vulnerabilities.",{"title":335,"searchDepth":336,"depth":336,"links":337},"",2,[338,339,340,341,342,343],{"id":19,"depth":336,"text":20},{"id":77,"depth":336,"text":78},{"id":140,"depth":336,"text":141},{"id":201,"depth":336,"text":202},{"id":282,"depth":336,"text":283},{"id":329,"depth":336,"text":330},"prompts","2026-02-16","2026-03-06","AI prompts to secure your session management. Implement secure cookies, session timeouts, regeneration, and protection against session hijacking.",false,"md",null,"cyan",{},true,"AI prompts to harden your session management against attacks.","/blog/prompts/add-session-security","[object Object]","BlogPosting",{"title":5,"description":347},{"loc":355},"blog/prompts/add-session-security",[362],"Authentication","summary_large_image","n1FmPZMxPDMVzUuuFPnfzNqbgK6ljPTXcOKxT_2A21E",1775843938774]