---
title: Avoid Extremely Long-Lived Sessions
impact: MEDIUM
impactDescription: reduces the window of opportunity for hijacked sessions
tags: security, sessions, authentication, timeouts
---

## Avoid Extremely Long-Lived Sessions

Implement session timeouts to periodically require re-authentication.

**Incorrect (forever session):**

```ruby
# No timeout configured
```

**Correct (timeout configured):**

```ruby
# If using Devise
# config/initializers/devise.rb
config.timeout_in = 30.minutes
```

**Tools:** Manual Review
---