2nd/10_Wiki/Topics/DevOps_and_Security/Session Lifecycle.md

---
id: wiki-2026-0508-session-lifecycle
title: Session Lifecycle
category: 10_Wiki/Topics
status: verified
canonical_id: self
aliases: [Session Management, Session State, Login Session]
duplicate_of: none
source_trust_level: A
confidence_score: 0.9
verification_status: applied
tags: [security, web, authentication, session]
raw_sources: []
last_reinforced: 2026-05-10
github_commit: pending
tech_stack:
  language: typescript
  framework: nextjs-redis
---

# Session Lifecycle

## 매 한 줄
> **"매 user 의 매 authenticated state 의 매 birth → death"**. Session lifecycle 는 매 login 으로 매 시작, 매 idle/absolute timeout 또는 매 explicit logout 으로 매 끝. 2026 현재 매 stateless JWT 의 매 short-lived access token (15 min) + 매 stateful refresh token (rotating, server-revocable) 의 매 hybrid 가 매 dominant; 매 OWASP ASVS V3 가 매 baseline.

## 매 핵심

### 매 Phases
1. **Auth**: credential verify (password, MFA, passkey).
2. **Issue**: session token (cookie / JWT) + binding (UA, IP optional).
3. **Validate**: per-request check + refresh.
4. **Refresh**: rotation on each use.
5. **Terminate**: logout, idle (15-30min), absolute (12-24h), forced (admin, breach).

### 매 Token strategies
- **Stateful (DB session)**: server stores; revocable instantly; scale via Redis.
- **Stateless JWT**: signed token; revocation via short TTL or blocklist.
- **Hybrid**: short JWT access + opaque refresh in DB.

### 매 Cookie attributes
- `HttpOnly` — XSS protection.
- `Secure` — TLS only.
- `SameSite=Lax` (or Strict) — CSRF.
- `__Host-` prefix — domain lock.
- `Path=/` and reasonable `Max-Age`.

### 매 응용
1. Web SPA + cookie session.
2. Mobile app + refresh-token rotation.
3. SSO (SAML/OIDC) federated.
4. Service mesh (mTLS-based).

## 💻 패턴

### Cookie session (Express + Redis)
```typescript
import session from "express-session";
import RedisStore from "connect-redis";
app.use(session({
  store: new RedisStore({ client: redis, prefix: "sess:" }),
  secret: process.env.SESSION_SECRET!,
  resave: false,
  saveUninitialized: false,
  cookie: {
    httpOnly: true, secure: true, sameSite: "lax",
    maxAge: 30 * 60_000, // idle timeout via touch
  },
  rolling: true,
}));
```

### JWT access + rotating refresh
```typescript
function issueTokens(userId: string) {
  const access = jwt.sign({ sub: userId }, ACCESS_SECRET, { expiresIn: "15m" });
  const refresh = crypto.randomUUID();
  redis.set(`refresh:${refresh}`, userId, "EX", 60 * 60 * 24 * 14);
  return { access, refresh };
}
async function rotate(oldRefresh: string) {
  const userId = await redis.get(`refresh:${oldRefresh}`);
  if (!userId) throw new Error("invalid");
  await redis.del(`refresh:${oldRefresh}`); // single-use
  return issueTokens(userId);
}
```

### Idle + absolute timeout
```typescript
type Session = { userId: string; createdAt: number; lastSeenAt: number };
const ABSOLUTE = 24 * 3600_000;
const IDLE = 30 * 60_000;

function valid(s: Session): boolean {
  const now = Date.now();
  return now - s.createdAt < ABSOLUTE && now - s.lastSeenAt < IDLE;
}
```

### Global logout (token version)
```typescript
// User table column: tokenVersion (incremented on logout-everywhere)
const access = jwt.sign({ sub: user.id, ver: user.tokenVersion }, SECRET);
// On verify
if (decoded.ver !== currentUser.tokenVersion) throw new Error("revoked");
```

### Session hijack defense (binding)
```typescript
function bindClaims(req: Request) {
  return crypto.createHash("sha256")
    .update(req.headers["user-agent"] + req.ip).digest("hex");
}
// On issue: store. On validate: compare. Mismatch → require re-auth.
```

### Concurrent session limit
```typescript
const sessions = await redis.smembers(`user_sessions:${userId}`);
if (sessions.length >= 5) {
  const oldest = sessions[0];
  await redis.del(`sess:${oldest}`);
  await redis.srem(`user_sessions:${userId}`, oldest);
}
```

## 매 결정 기준
| 상황 | Approach |
|---|---|
| 매 Web SPA, 매 same domain | Cookie + CSRF token |
| 매 mobile / cross-origin | JWT access + refresh in secure storage |
| 매 high-security (banking) | Short access (5m) + step-up auth |
| 매 SSO required | OIDC + IdP-managed session |

**기본값**: HttpOnly Secure SameSite=Lax cookie + Redis-backed session, 30m idle / 24h absolute.

## 🔗 Graph
- 부모: [[Application Security]]
- 변형: [[JWT]] · [[OAuth 2.0]]
- 응용: [[보안 및 시스템 신뢰성 표준|OWASP Top 10]] · [[보안 및 시스템 신뢰성 표준|Zero-Trust Architecture]]

## 🤖 LLM 활용
**언제**: Session anomaly detection (매 sudden geo / device shift), suspicious-activity summary for support.
**언제 X**: 매 token issuance / signing — 매 deterministic crypto only.

## ❌ 안티패턴
- **localStorage JWT**: 매 XSS → 매 token theft. 매 HttpOnly cookie.
- **No refresh rotation**: 매 leaked refresh = 매 forever access.
- **No absolute timeout**: 매 1년 session — 매 dormant account hijack.
- **Client-side only check**: 매 every request server-side.

## 🧪 검증 / 중복
- Verified (OWASP Session Management Cheat Sheet, ASVS V3, NIST SP 800-63B).
- 신뢰도 A.

## 🕓 Changelog
| 날짜 | 변경 |
|---|---|
| 2026-05-08 | Phase 1 |
| 2026-05-10 | Manual cleanup — JWT+refresh hybrid + passkey-era state |