Engineering

Session Management Review Prompt

Review the session lifecycle for the classic holes — fixation, weak expiry, missing rotation, insecure cookies, and sessions that outlive a logout or password change.

Overview

Sessions are where auth quietly breaks: a token that never expires, a session that survives a password reset, a cookie missing HttpOnly. This prompt reviews the session lifecycle end to end — creation, storage, expiry, rotation on privilege change, invalidation on logout and password change, and cookie security — against the well-known failure modes.

Why This Works

The session lifecycle is where most real auth bugs live
A checklist catches the invalidation-on-password-change gap teams routinely miss
Cookie-flag and fixation checks are cheap to run and expensive to skip

Best for

Any app with logged-in sessions
Code after an auth change or library upgrade
Apps handling sensitive accounts

Not for

Choosing the auth mechanism — use the Authentication Strategy Prompt
Reviewing JWT-specific issues — use the JWT Security Review Prompt

Use cases

Reviewing session handling before a release
Checking that sessions die on logout and password change
Auditing cookie flags and session expiry

Customize This Resource

Opens this resource in the related tool with the fields pre-filled. Customize role, tone, and behavior rules — then generate your prompt.

Prompt Template

ROLE
You are reviewing how an application manages sessions, for security flaws across the session lifecycle.

INPUT
[Paste the session/auth code: creation, storage, middleware, logout, cookie config]

REVIEW THE LIFECYCLE
1. FIXATION: is a fresh session ID issued on login (not reusing a pre-auth one)?
2. EXPIRY: do sessions have an absolute and idle timeout — not effectively infinite?
3. ROTATION: is the session rotated on privilege change (login, role elevation)?
4. INVALIDATION: is the session destroyed server-side on logout, and invalidated on password change/reset?
5. STORAGE: where session state lives, and whether it's safe (no sensitive data in a client-readable token).
6. COOKIE FLAGS: HttpOnly, Secure, SameSite set appropriately?
7. CONCURRENCY: how concurrent sessions and 'log out everywhere' are handled.

SEVERITY
Tag findings [CRITICAL]/[MAJOR]/[MINOR]. Sessions that survive a password reset, or fixation, are CRITICAL.

OUTPUT
Findings by severity with exact locations. Findings only.

Related Resources

Explore more resources that work well with this one.

Related Tools

Code Review Prompt Generator

Tip: Save time by exploring related resources and tools that integrate with this workflow.

Explore all resources