---
title: Re-authenticate For Long-lived Sessions
impact: MEDIUM
impactDescription: ensures continuous identity verification for extended sessions
tags: session, authentication, timeout, reauthentication, security, php
---

## Re-authenticate For Long-lived Sessions

User sessions that remain active for days or weeks (e.g., using "Remember Me" features) are more susceptible to hijack if a device is left unattended or stolen. You should implement a system that requires users to perform a full re-authentication periodically or before performing sensitive actions.

**Incorrect (sessions never expire or never require re-auth):**

```php
// PHP session with no clear expiry logic
session_start();
// User stays logged in as long as the cookie exists
```

**Correct (enforcing session lifetime and re-auth):**

```php
// 1. Set reasonable idle session lifetime (php.ini)
// session.gc_maxlifetime = 1440 // 24 minutes default - increase to e.g. 14400 (4 hours)

// 2. track authentication time in session
session_start();

if (isset($_SESSION['user_id'])) {
    $lastAuth = $_SESSION['last_auth_time'] ?? 0;
    $maxAge = 4 * 60 * 60; // Require re-auth every 4 hours

    if (time() - $lastAuth > $maxAge) {
        $_SESSION['reauth_required'] = true;
    }
}

// 3. Sensitive Action Middleware (Laravel example)
public function handle($request, Closure $next)
{
    // Check if the user has authenticated within the last hour for sensitive actions
    $lastAuthAt = $request->session()->get('auth.last_confirmed_at');
    
    if (!$lastAuthAt || (time() - $lastAuthAt > 3600)) {
        return redirect()->route('password.confirm');
    }

    return $next($request);
}
```

**Implementation Strategy:**
- **Idle Timeout**: Automatically destroy the session after a period of user inactivity (e.g., 2 hours).
- **Absolute Lifetime**: Force a full logout or re-auth after a total duration (e.g., 24 hours), regardless of activity.
- **Sensitive Operations**: Require password entry before changing emails, passwords, or processing payments (see rule **S044**).

**Tools:** Laravel `password.confirm`, `session.gc_maxlifetime`, Custom PHP Middleware
