Submitted by Anonymous (not verified) on
Section
2.1.6
Top Level
Session Management
Sub Level
2.1 Session Cookies
General
The session timeout should be configured in the application server configuration to time out after a predefined time period. An absolute timeout should also be configured. It may be necessary to custom code the absolute timeout.
Coldfusion

A session timeout can be configured in an application.cfc file or a<cfapplication> tag in an application.cfm file with the sessionTimeoutparameter. For example, in an application.cfm file, use:

<cfapplication
 name = ""SampleApplication""
 sessionmanagement  = ""Yes""
 sessiontimeout   = ""#CreateTimeSpan(0,0,30,0)#"""">

Session timeouts can also be defined on the ColdFusion server under Server Settings > Memory Variables.

The session-timeout parameter in the cf_root/WEB-INF/web.xml file establishes the maximum J2EE session timeout. This setting should always be greater than or equal to ColdFusion's Maximum Session Timeout value.

Django

The SESSION_COOKIE_AGE setting can be used to set an absolute timeout. There is also a SESSION_EXPIRE_AT_BROWSER_CLOSE setting that you can set to have the session cookie expire when the user closes the browser. To keep a user logged in if they are active, set theSESSION_SAVE_EVERY_REQUEST setting to True.

Java

In J2EE the idle timeout configurations can be made in web.xml:

<session-config>
<session-timeout>60</session-timeout>
</session-config>

In J2EE absolute time-out may or may not be configurable. If not, useHttpSession.getCreationTime() to assist your custom logic.

Natural Webagent
EID login timeout happens after 30 minutes of inactivity. There is no absolute timeout. If you are using other sessioning, then you should follow this standard as well.
PHP

There are a number of settings in the php.ini file that affect session behavior, including the maximum lifetime before garbage collection:

session.gc_maxlifetime = 1440