--- id: wiki-2026-0508-session-lifecycle title: Session Lifecycle category: 10_Wiki/Topics status: verified canonical_id: self aliases: [Session Management, Session State, Login Session] duplicate_of: none source_trust_level: A confidence_score: 0.9 verification_status: applied tags: [security, web, authentication, session] raw_sources: [] last_reinforced: 2026-05-10 github_commit: pending tech_stack: language: typescript framework: nextjs-redis --- # Session Lifecycle ## 매 한 줄 > **"매 user 의 매 authenticated state 의 매 birth → death"**. Session lifecycle 는 매 login 으로 매 시작, 매 idle/absolute timeout 또는 매 explicit logout 으로 매 끝. 2026 현재 매 stateless JWT 의 매 short-lived access token (15 min) + 매 stateful refresh token (rotating, server-revocable) 의 매 hybrid 가 매 dominant; 매 OWASP ASVS V3 가 매 baseline. ## 매 핵심 ### 매 Phases 1. **Auth**: credential verify (password, MFA, passkey). 2. **Issue**: session token (cookie / JWT) + binding (UA, IP optional). 3. **Validate**: per-request check + refresh. 4. **Refresh**: rotation on each use. 5. **Terminate**: logout, idle (15-30min), absolute (12-24h), forced (admin, breach). ### 매 Token strategies - **Stateful (DB session)**: server stores; revocable instantly; scale via Redis. - **Stateless JWT**: signed token; revocation via short TTL or blocklist. - **Hybrid**: short JWT access + opaque refresh in DB. ### 매 Cookie attributes - `HttpOnly` — XSS protection. - `Secure` — TLS only. - `SameSite=Lax` (or Strict) — CSRF. - `__Host-` prefix — domain lock. - `Path=/` and reasonable `Max-Age`. ### 매 응용 1. Web SPA + cookie session. 2. Mobile app + refresh-token rotation. 3. SSO (SAML/OIDC) federated. 4. Service mesh (mTLS-based). ## 💻 패턴 ### Cookie session (Express + Redis) ```typescript import session from "express-session"; import RedisStore from "connect-redis"; app.use(session({ store: new RedisStore({ client: redis, prefix: "sess:" }), secret: process.env.SESSION_SECRET!, resave: false, saveUninitialized: false, cookie: { httpOnly: true, secure: true, sameSite: "lax", maxAge: 30 * 60_000, // idle timeout via touch }, rolling: true, })); ``` ### JWT access + rotating refresh ```typescript function issueTokens(userId: string) { const access = jwt.sign({ sub: userId }, ACCESS_SECRET, { expiresIn: "15m" }); const refresh = crypto.randomUUID(); redis.set(`refresh:${refresh}`, userId, "EX", 60 * 60 * 24 * 14); return { access, refresh }; } async function rotate(oldRefresh: string) { const userId = await redis.get(`refresh:${oldRefresh}`); if (!userId) throw new Error("invalid"); await redis.del(`refresh:${oldRefresh}`); // single-use return issueTokens(userId); } ``` ### Idle + absolute timeout ```typescript type Session = { userId: string; createdAt: number; lastSeenAt: number }; const ABSOLUTE = 24 * 3600_000; const IDLE = 30 * 60_000; function valid(s: Session): boolean { const now = Date.now(); return now - s.createdAt < ABSOLUTE && now - s.lastSeenAt < IDLE; } ``` ### Global logout (token version) ```typescript // User table column: tokenVersion (incremented on logout-everywhere) const access = jwt.sign({ sub: user.id, ver: user.tokenVersion }, SECRET); // On verify if (decoded.ver !== currentUser.tokenVersion) throw new Error("revoked"); ``` ### Session hijack defense (binding) ```typescript function bindClaims(req: Request) { return crypto.createHash("sha256") .update(req.headers["user-agent"] + req.ip).digest("hex"); } // On issue: store. On validate: compare. Mismatch → require re-auth. ``` ### Concurrent session limit ```typescript const sessions = await redis.smembers(`user_sessions:${userId}`); if (sessions.length >= 5) { const oldest = sessions[0]; await redis.del(`sess:${oldest}`); await redis.srem(`user_sessions:${userId}`, oldest); } ``` ## 매 결정 기준 | 상황 | Approach | |---|---| | 매 Web SPA, 매 same domain | Cookie + CSRF token | | 매 mobile / cross-origin | JWT access + refresh in secure storage | | 매 high-security (banking) | Short access (5m) + step-up auth | | 매 SSO required | OIDC + IdP-managed session | **기본값**: HttpOnly Secure SameSite=Lax cookie + Redis-backed session, 30m idle / 24h absolute. ## 🔗 Graph - 부모: [[Application Security]] - 변형: [[JWT]] · [[OAuth 2.0]] - 응용: [[보안 및 시스템 신뢰성 표준|OWASP Top 10]] · [[보안 및 시스템 신뢰성 표준|Zero-Trust Architecture]] ## 🤖 LLM 활용 **언제**: Session anomaly detection (매 sudden geo / device shift), suspicious-activity summary for support. **언제 X**: 매 token issuance / signing — 매 deterministic crypto only. ## ❌ 안티패턴 - **localStorage JWT**: 매 XSS → 매 token theft. 매 HttpOnly cookie. - **No refresh rotation**: 매 leaked refresh = 매 forever access. - **No absolute timeout**: 매 1년 session — 매 dormant account hijack. - **Client-side only check**: 매 every request server-side. ## 🧪 검증 / 중복 - Verified (OWASP Session Management Cheat Sheet, ASVS V3, NIST SP 800-63B). - 신뢰도 A. ## 🕓 Changelog | 날짜 | 변경 | |---|---| | 2026-05-08 | Phase 1 | | 2026-05-10 | Manual cleanup — JWT+refresh hybrid + passkey-era state |